2.14 Testing OCSP Stapling
OCSP stapling is an optional feature that allows a server certificate to be accompanied by an OCSP response that proves its validity. Because the OCSP response is delivered over an already existing connection, the client does not have to fetch it separately.
OCSP stapling is used only if requested by a client, which submits the status_request
extension in the handshake request. A server that supports OCSP stapling will respond by including an OCSP response as part of the handshake.
When using the s_client tool
, OCSP stapling is requested with the -status
switch:
$ echo | openssl s_client -connect www.feistyduck.com:443 -status
The OCSP-related information will be displayed at the very beginning of the connection output. For example, with a server that does not support stapling you will see this line near the top of the output:
CONNECTED(00000003)
OCSP response: no response sent
With a server that does support stapling, you will see the entire OCSP response in the output:
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
Produced At: Aug 30 22:35:12 2020 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
Serial Number: F47F09B599124B1F08846AC4D71EB0F2
Cert Status: good
This Update: Aug 30 22:35:12 2020 GMT
Next Update: Sep 6 22:35:12 2020 GMT
Signature Algorithm: sha256WithRSAEncryption
1b:9d:be:3e:e6:b2:9a:e6:22:fe:69:cc:55:a9:62:5d:29:79:
[...]
The certificate status good
means that the certificate has not been revoked.