最後更新: 2022-05-19

最後更新: 2022-05-18

介紹

OCSP was created as an alternative to certificate revocation lists (CRL)

Certificate revocation lists (CRL)

The browser downloads a list of revoked certificate serial numbers and
    verifies the current certificate, which increases the SSL negotiation time

OCSP

A time-stamped OCSP response signed by the CA to the initial TLS handshake

If the client does not receive a stapled response, it will just contact the OCSP server by itself.

However, if the client receives an invalid stapled response, it will abort the connection.

Stapling

If OCSP stapling is enabled, in your response, in the OCSP Response Data section, it should say the following:

OCSP Response Status: successful (0x0)

An OCSP responder

A server typically run by the certificate issuer

OCSP can be vulnerable to replay attacks (解決: nonce, a validity period)

MustStaple TLS extension

If a browser encounters a certificate with this extension that is used without OCSP Stapling, then it will be rejected.

Note

The RFC 6066 specification the server's CertificateStatus reply may only include an OCSP response for a single cert.

For server certificates with intermediate CA certificates in their chain (the typical case nowadays)

    only partially achieves the  => "saving roundtrips and resources"

TLSv1.3 automatically removes this limitation,

Under TLS 1.3 a server can send multiple OCSP responses,
typically one for each certificate in the certificate chain.

# For TLS 1.2

Under TLS 1.2 only one stapled response can be sent by a server,

    the OCSP response associated with the end-certificate.

RFC 6961 defines a Multiple Certificate Status Request extension,

    which allows a server to send multiple OCSP responses in the TLS handshake.

最後更新: 2022-05-13

目錄

• list (ls)
• upload & download (cp)
• delete (rm)
• Sync Content(sync)
• Improve the transfer performance