Implement OCSP stapling for Apache

[jsha]

OCSP Stapling is important for end-user privacy, end-user performance, and traffic offload for Let's Encrypt. We should implement it in Apache. Here's an example config: https://github.com/jsha/ocsp-stapling-examples.

[pde]

@sagi has expressed some interest in working on this

[sagi]

Yes. I'm currently working on an HSTS header enhancement. OCSP stapling is next.

[jsha]

FYI: I think we eventually want OCSP Stapling (but not Must Staple) to be enabled by default when autoconfiguring Apache. However, for the first release that includes this code, we should probably require a flag to request the enhancement. That way people can test and find bugs before we make it the default.

Also, one tricky thing that @SwartzCr noticed: I believe OCSP Stapling in Apache depends on the socache_shmcb module, which was introduced in 2.4. In order to be backwards compatible with 2.2 you'll have to check the version you're working with. It's possible that OCSP Stapling works in 2.2 if you simple omit the shmcb parts. You may also be able to fudge it for a first pass by only enabling OCSP Stapling for 2.4+.

[jsha]

@sagi, were you able to make progress on this over the weekend?

[sagi]

Not much. I mostly read RFC 7633 and messed with its Apache config.

[jsha]

If it helps, I have some example configs at https://github.com/jsha/ocsp-stapling-examples.

[sagi]

@jsha, @pde: I tend to agree with Adam Langely's take on OCSP Stapling - it must be entwined with the must_stable extension. Otherwise it should be off.

[jsha]

From reading that post, I don't see an assertion that Stapling should be disabled unless Must Staple is present in the certificate. The point I see in that post is that individuals should not enable revocation checking in their Chrome browser.

Note that Firefox and MSIE still check OCSP, even though Chrome doesn't. For users of those browsers, non-stapled OCSP is both a performance and privacy loss. For Let's Encrypt, non-stapled OCSP increases the number of requests we have to serve. Those three reasons are why I think we should make Stapling the default. Cloudflare agrees.

[sagi]

No, that is not what I meant.
OCSP shouldn't be used.
OCSP Stapling ~~~+ must staple extension~~~ should become default. ~~~If OCSP Stapling is on but the certificate doesn't have the must staple extension - OCSP Stapling should be off~~~.

Got it. Thanks.

[RichardNeill]

It may help to provide a tested "incantation".
I have the following in my
/etc/apache2/mods-available/ssl.conf
which has worked well for over a year.

-----begin----
#Enable SSL Cert Stapling. Configuration for SSL cert stapling, as suggested by
#https://support.globalsign.com/customer/portal/articles/1642333-apache---enable-ocsp-stapling
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling_cache(128000)"
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingStandardCacheTimeout 86400
SSLStaplingErrorCacheTimeout 1200
---end-----

I believe if you add this to the file /etc/letsencrypt/options-ssl-apache.conf then that's all you need to do to close this bug.

To test, you can use SSLLabs.com and search for "OCSP stapling" in the protocol details.
[Surprisingly, a lack of OCSP stapling doesn't cause us to lose an "A+".]

[bmw]

This was resolved in #2723.