WebPageTest

billyboylindien · (This post was last modified: 07-19-2019 06:16 PM by billyboylindien.)

Hi,
I'm really new with ocsp stapling.

I activated it on our website.
Before:
https://www.webpagetest.org/result/19071...bd8402743/
After:
https://www.webpagetest.org/result/19071...68b7bd1e2/

Before we had 2 ocsp calls but it still remain one call to http://ocsp.usertrust.com

Is it normal ?
Maybe my apache configuration is not ok ?

Code:

SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt

        SSLStaplingCache shmcb:/tmp/stapling_cache(128000)

        SSLUseStapling on

Code:

# echo QUIT | openssl s_client -servername www.sutunam.com -connect www.sutunam.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'

OCSP response:

======================================

OCSP Response Data:

    OCSP Response Status: successful (0x0)

    Response Type: Basic OCSP Response

    Version: 1 (0x0)

    Responder Id: 2C69FF80C98790AE34E1B4E74C93859940E9A7B2

    Produced At: Jul 18 07:05:04 2019 GMT

    Responses:

    Certificate ID:

      Hash Algorithm: sha1

      Issuer Name Hash: BCDE91268256135DFC85EFC392F9189345669D92

      Issuer Key Hash: 2C69FF80C98790AE34E1B4E74C93859940E9A7B2

      Serial Number: BFDA66FABBB25F667729D64937F5D7C1

    Cert Status: good

    This Update: Jul 18 07:05:04 2019 GMT

    Next Update: Jul 22 07:05:04 2019 GMT

I was thinking once activated there will be no more ocsp call Smile

andydavies · 07-20-2019, 08:42 PM

The certificate change is leaf (sutunam.com) > intermediary (sectigo) > root (User Trust)

In this case it looks like the intermediary cert from sectigo that's not being stapled, which is pretty common for digicert (which is who sectigo are) EV certificates

If you examine the cert chain in Chrome or Safari, you'll see the OCSP end point for the intermediary certificate matches the request you're seeing