OCSP stapling is an optional feature that allows a server certificate to be accompanied by an OCSP response that proves its validity. Because the OCSP response is delivered over an already existing connection, the client does not have to fetch it separately.
OCSP stapling is used only if requested by a client, which submits the
status_request extension in the handshake request. A server that supports OCSP stapling will respond by including an OCSP response as part of the handshake.
When using the
s_client tool, OCSP stapling is requested with the
$ echo | openssl s_client -connect www.feistyduck.com:443 -status
The OCSP-related information will be displayed at the very beginning of the connection output. For example, with a server that does not support stapling you will see this line near the top of the output:
CONNECTED(00000003) OCSP response: no response sent
With a server that does support stapling, you will see the entire OCSP response in the output:
OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Produced At: Aug 30 22:35:12 2020 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9 Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Serial Number: F47F09B599124B1F08846AC4D71EB0F2 Cert Status: good This Update: Aug 30 22:35:12 2020 GMT Next Update: Sep 6 22:35:12 2020 GMT Signature Algorithm: sha256WithRSAEncryption 1b:9d:be:3e:e6:b2:9a:e6:22:fe:69:cc:55:a9:62:5d:29:79: [...]
The certificate status
good means that the certificate has not been revoked.