OCSP Stapling in Avi Vantage

Overview

Online certificate status protocol (OCSP) stapling is an extension of the OCSP protocol. The validity of SSL/TLS certificates can be checked using OCSP stapling. To know more about OCSP stapling, click here.

An SSL certificate can be revoked by the certificate authority (CA) before the scheduled expiration date, and this implies that certificate can no longer be trusted. This process of invalidating an issued SSL certification before expiry of the certificate’s validity is called certificate revocation.

It is critical for browsers and clients to detect if a certificate has been revoked and suggest a security warning.

Certificate revocations are checked either using the Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP).

A CRL is a large list of certificates that have been revoked by the CA. When a client sends a request for an SSL connection to a virtual service, Avi Vantage checks the CAs and CRL(s) in the virtual service’s PKI profile to verify whether the client certificate is still valid. To know more, refer to the Full-chain CRL Checking for Client Certificate Validation article.

Downloading and updating the large list of serial numbers that have been revoked can be cumbersome.

In the OCSP method, the client queries the status of a single certificate, instead of downloading and parsing an entire list. This results in lesser overhead on the client and network. Since OCSP requests are sent for each certificate, this can be an overhead for the OCSP responder in case of high traffic.

OCSP Stapling

The RFC 2560 describes a new method for checking revoked certificates called OCSP stapling. In this method, when a certificate has to be verified, the browser issues an OCSP Request with the serial number of the certificate to the OCSP responder. The OCSP responder looks up the CA database using the serial number and fetches the revocation status of the certificate corresponding to the serial number and returns the revocation status of the certificate through a signed OCSP response.

The client does not have to communicate with the CA server time and again to get the certificate status. Avi Vantage retrieves the information and serves it to the client on receiving a request.

In Avi, OCSP stapling can be enabled only on the Application certificates and the Root/Intermediate certificates. However, only the Application certificate’s OCSP response will be stapled to the certificate in the TLS/SSL handshake.

Starting with Avi Vantage version 20.1.3, OCSP Stapling can be enabled and configured via the Avi UI and the CLI.

Parameters in OCSP Stapling

This sections introduces the parameters that will be configured to use the OCSP stapling feature in Avi Vantage:

Time Parameters

UI Field CLI Label Description
Frequency Interval ocsp_req_interval Define the time interval between OCSP requests.
Response Timeout ocsp_resp_timeout Define the time interval for which the Controller waits for the response from the CA. If there is no response from the responder, the failover mechanism will be initiated.
Fail Job Interval ocsp_job_fail_interval Use this option to schedule OCSP job at smaller intervals, in case there is no response received within the Response (ocsp_req_interval) timeout.
Max Tries max_tries Maximum number of times the failed OCSP jobs can be scheduled.

Responder URL Action

In the absence of a response from the OCSP server, a failover mechanism is initiated. One of the following URL actions can be selected as a URL action:

UI Field Description
Failover Select this method to strictly use user-configured URLs (`responder_url_lists`) instead of the CA configured URLs.
Override Select this method to strictly use user-configured URLs (responder_url_lists) instead of the CA configured URLs. Select this method to try reaching the URLs found in AIA extension of the certificate first ocsp_responder_url_list_from_certs. If the system is unable to fetch a response, then it will fall back to the respondent URL list (responder_url_lists).

Note: If for any reason, the OCSP request could not be processed, OCSPErrorStatus tracks the status errors to include failures in the OCSP workflow.

Using OCSP Stapling via the UI

Configuring OCSP Stapling

OCSP stapling can be enabled via the Avi UI for Root/Intermediate CA Certificates and Application Certificates.

Notes:

  1. OCSP stapling can be enabled only on Root/Intermediate certificates and Application certificates , and cannot be enabled on controller certificates
  2. In case of application certificates, OCSP stapling is currently supported in the CSR and the import modes. OCSP stapling cannot be enabled for self-signed certificates.

To enable OCSP stapling,

  1. From the Avi UI, navigate to Templates > Security > SSL/TLS Certificates.

  2. Click on Create > Root/Intermediate CA Certificate.

  3. Enter a Name for the certificate.

  4. Upload the certificate/ paste the details in the text box provided.

  5. Click on Enable OCSP stapling to enable the option.

  6. Enter a value between 60-31536000 as the Frequency Interval.

  7. Enter a value in seconds as the Response Timeout.

  8. Enter a value between 60-86400 seconds as the Fail Job Interval.

    Note: To understand more about the time parameters, click here.

  9. Enter Max Tries to define the number of times the failed job gets scheduled (with Fail Job Interval) . After the maximum number of tries are exhausted, the job will get scheduled with regular OCSP job (Frequency Interval).

  10. Under OCSP Responder URL List, enter the responder URL to do a failover/override the AIA extension contained in the OCSP responder’s SSL/TLS certificate.

  11. Click on Add OCSP Responder URL.

  12. Select a Responder URL Action. To understand more, click here. The Add Certificate screen with OCSP Stapling configured is as shown below:

    OCSP Stapling UI

  13. Click on Validate.

Handling Revoked Certificates

  • Events/alerts are raised whenever the SSL certificate status changes to Revoked or Issuer Revoked.

  • If a certificate is revoked, the certificate’s status will be marked as Revoked in the Avi UI.

  • If a root/intermediate certificate is revoked, all the certificates issued by the revoked root/intermediate certificate will be marked as Issuer Revoked. The Controller will stop requesting OCSP certificate status for these certificates.

  • SSL score of all the certificates with status as Revoked or Issuer Revoked will be marked 0.

Stapling Updates

  • Virtual service faults are added to alert the users when the certificate is either Revoked or Issuer Revoked.

Stapling Updates

OCSP Stapling During SSL Handshake

When the OCSP response is sent to client, the exchange of stapling information in the SSL handshake is as shown below:

Stapling Updates

Using OCSP Stapling via CLI

Enabling OCSP Stapling

OCSP stapling can be configured via the CLI using the enable_ocsp_stapling flag within the certificate object and configured as shown below:


[admin:user-ctrl]: > configure sslkeyandcertificate test-cert
[admin:user-ctrl]: sslkeyandcertificate> enable_ocsp_stapling
Overwriting the previously entered value for enable_ocsp_stapling
[admin:user-ctrl]: sslkeyandcertificate> ocsp_config
[admin:user-ctrl]: sslkeyandcertificate:ocsp_config> ocsp_req_interval 21600
Overwriting the previously entered value for ocsp_req_interval
[admin:user-ctrl]: sslkeyandcertificate:ocsp_config> ocsp_resp_timeout 60
[admin:user-ctrl]: sslkeyandcertificate:ocsp_config> url_action ocsp_responder_url_
ocsp_responder_url_failover Used as a Failover URL to the AIA extension contained in the certificate.
ocsp_responder_url_override URL configured is used instead of the URL contained in the AIA extension of the certificate.
[admin:user-ctrl]: sslkeyandcertificate:ocsp_config> url_action ocsp_responder_url_failover
[admin:user-ctrl]: sslkeyandcertificate:ocsp_config> responder_url_lists
[admin:user-ctrl]: sslkeyandcertificate:ocsp_config> responder_url_lists  http://ocsp2.example.com:8080/
[admin:user-ctrl]: sslkeyandcertificate:ocsp_config> failed_ocsp_jobs_retry_interval 30
Overwriting the previously entered value for failed_ocsp_jobs_retry_interval
[admin:user-ctrl]: sslkeyandcertificate:ocsp_config> save
[admin:user-ctrl]: sslkeyandcertificate> save

The configuration is viewed as shown below:


+-------------------------------------------+--------------------------------------------------------------------------------------------------+
| Field                                     | Value                                                                                            |
+-------------------------------------------+--------------------------------------------------------------------------------------------------+
| uuid                                      | sslkeyandcertificate-380d9e69-4f04-4519-8151-c89ff2d7bb6f                                        |
| name                                      | test-cert                                                                                        |
| type                                      | SSL_CERTIFICATE_TYPE_VIRTUALSERVICE                                                              |
| certificate                               |                                                                                                  |
| version                                   | 2                                                                                                |
| serial_number                             | 15597070261980010830                                                                             |
| self_signed                               | True                                                                                             |
| issuer                                    |                                                                                                  |
| common_name                               | test.example.com                                                                                 |
| email_address                             | usera@abc.com                                                                                    |
| organization_unit                         | L7                                                                                               |
| organization                              | abc                                                                                              |
| locality                                  | Bangalore                                                                                        |
| state                                     | Karnataka                                                                                        |
| country                                   | IN                                                                                               |
| distinguished_name                        | C=IN, ST=Karnataka, L=Bangalore, O=VMware, OU=L7, CN=test.example.com, emailAddress=user@abc.com |
|                                           |                                                                                                  |    
| enable_ocsp_stapling                      | True                                                                                             |
| ocsp_config                               |                                                                                                  |
|     ocsp_req_interval                     | 21600 sec                                                                                        |
|     ocsp_resp_timeout                     | 60 sec                                                                                           |
|     responder_url_lists[1].               | http://ocsp.example.com/                                                                         |
|     url_action                            | OCSP_RESPONDER_URL_FAILOVER                                                                      |
|     failed_ocsp_jobs_retry_interval       | 30 sec                                                                                           |
| tenant_ref                                | admin                                                                                            |
+-------------------------------------------+--------------------------------------------------------------------------------------------------+

Note: If a successful OCSP response is received, the next_update value and the ocsp_req_interval value are compared and the lesser value of the two is used to schedule the next OCSP Request.

Refer to the time parameters and the Responder URL Action options to understand further.

Verifying the Certificate Status

If OCSP stapling is enabled for a certificate, the Avi Controller looks for the OCSP URL under the Authority Information Access (AIA) extension, in the certificate, and sends a request to the identified URL.

Both GET and POST HTTP methods are supported. The OCSP requests are first sent using the POST method. In case there is no response, or if there is an error, the GET method is used.

On receiving the OCSP requests, the CA servers or responders respond with the certificate status. The OCSP responses can’t be forged as they are directly signed by the CA. The Avi Controller verifies the signature of the OCSP response. If the response verification fails, the response is dropped and failover mechanisms are triggered to send further requests.

The CA responds with one of the following certificate statuses:

  • Good: A positive response is received to the status inquiry and the certificate with the requested certificate serial number the certificate is not revoked within the validity interval.
  • Revoked: The certificate has been revoked, either temporarily or permanently.
  • Unknown: The responder does not recognize the certificate being requested. This may be because the request indicates an unrecognised issuer that is not served by this responder

The certificate status can be viewed as shown below:

OCSP Stapling UI


OCSP Stapling UI

Application Logs

App logs are generated with the following significance:

  • Certificate Status is Revoked
  • Certificate status is Issuer Revoked
  • Certificate Status is Unavailable
  • OCSP response is stale.

To control the significant logs for the above scenarios, configure analytics profile as shown below:


[admin:controller-vmdc2]: > configure analyticsprofile
System-Analytics-Profile
[admin:controller-vmdc2]: > configure analyticsprofile System-Analytics-Profile
Updating an existing object. Currently, the object is:
+-------------------------------------------------+-------------------------------------------------------+
| Field                                           | Value                                                 |
+-------------------------------------------------+-------------------------------------------------------+
| uuid                                            | analyticsprofile-1775513e-bbf5-47ce-a067-42237c91315d |
| name                                            | System-Analytics-Profile                              |
| tenant_ref                                      | admin                                                 |
| exclude_revoked_ocsp_responses_as_error         | True                                                  |
| exclude_stale_ocsp_responses_as_error           | True                                                  |
| exclude_issuer_revoked_ocsp_responses_as_error  | True                                                  |
| exclude_unavailable_ocsp_responses_as_error     | True                                                  |
| hs_security_ocsp_revoked_score                  | 0.0                                                   |
| enable_adaptive_config                          | True                                                  |
+-------------------------------------------------+-------------------------------------------------------+

+-------------------------------------------------+-------------------------------------------------------+
[admin:controller-vmdc2]: analyticsprofile> no exclude_revoked_ocsp_responses_as_error                    | 
+-------------------------------------------------+-------------------------------------------------------+
| Field                                           | Value                                                 |
+-------------------------------------------------+-------------------------------------------------------+
| uuid                                            | analyticsprofile-1775513e-bbf5-47ce-a067-42237c91315d |
| name                                            | System-Analytics-Profile                              |
| tenant_ref                                      | admin                                                 |
| exclude_revoked_ocsp_responses_as_error         | False                                                 |
| exclude_stale_ocsp_responses_as_error           | True                                                  |
| exclude_issuer_revoked_ocsp_responses_as_error  | True                                                  |
| exclude_unavailable_ocsp_responses_as_error     | True                                                  |
| hs_security_ocsp_revoked_score                  | 0.0                                                   |
| enable_adaptive_config                          | True                                                  |
+-------------------------------------------------+-------------------------------------------------------+

+-------------------------------------------------+-------------------------------------------------------+
[admin:controller-vmdc2]: analyticsprofile>  hs_security_ocsp_revoked_score 3.0                           | 
+-------------------------------------------------+-------------------------------------------------------+
| Field                                           | Value                                                 |
+-------------------------------------------------+-------------------------------------------------------+
| uuid                                            | analyticsprofile-1775513e-bbf5-47ce-a067-42237c91315d |
| name                                            | System-Analytics-Profile                              |
| tenant_ref                                      | admin                                                 |
| exclude_revoked_ocsp_responses_as_error         | False                                                 |
| exclude_stale_ocsp_responses_as_error           | True                                                  |
| exclude_issuer_revoked_ocsp_responses_as_error  | True                                                  |
| exclude_unavailable_ocsp_responses_as_error     | True                                                  |
| hs_security_ocsp_revoked_score                  | 3.0                                                   |
| enable_adaptive_config                          | True                                                  |
+-------------------------------------------------+-------------------------------------------------------+

The following fields are configurable:

  • exclude_revoked_ocsp_responses_as_error
  • exclude_stale_ocsp_responses_as_error
  • exclude_issuer_revoked_ocsp_responses_as_error
  • exclude_unavailable_ocsp_responses_as_error

All these fields are enabled by default. When set to True, the corresponding logs will be excluded from the significance logs. To include the logs in the significant logs, set the fields to False.

In addition, hs_security_ocsp_revoked_score can also be configured. By default, the score is set to 0.0 when the certificate or issuer certificate is revoked.

Risk and Risk Mitigation

OCSP stapling is effective because it offloads OCSP requests from browser to the server, but it’s optional. Browsers have no idea a response is expected or not, and therefore they use a soft-fail behaviour. This can lead to a security compromise. To avoid this, the certificate extension called OCSP Must-Staple is used. With this label, the server communicates to the browser that the certificate has to be served with a valid OCSP response. In the absence of which, the certificate will not be accepted.

In case of a security compromise, even if the attacker has the key, they must supply an OCSP staple when using the certificate. If not, the browser will reject the certificate. If an OCSP staple is included, then the response will identify that the certificate as revoked, and the browser will reject the certificate.

This mitigates the security issues of OCSP stapling.

Caveat

  • OCSP Stapling v2 described in RFC RFC6961 defines a new extension status_request_v2 that enables the client to request the status of all certificates in the chain. In Avi Vantage, multiple certificate status requests are not supported currently. When a client sends the client hello with “status_request_v2” extension, Avi Vantage will return the certificate status of the only the application certificate directly attached to the virtual service.

Document Revision History

Date Change Summary
December 12, 2020 Updated the content for Configuring OCSP Stapling via the UI (Version 20.1.3)
July 30, 2020 Published the Feature KB for OCSP-Stapling in Avi Vantage (Version 20.1.1)
May 18, 2020 Published the Feature KB for OCSP-Stapling in Avi Vantage (Tech Preview)