So you have configured OCSP stapling and you want know if it’s actually working, it’s easy enough to check using the openssl s_client command:
openssl s_client -connect login.live.com:443 -tls1 -tlsextdebug -status
Loading ‘screen’ into random state – done
CONNECTED(0000017C)
TLS server extension “status request” (id=5), len=0
….
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0×0)
…
Cert Status: good
This Update: Jun 12 02:58:39 2012 GMT
Next Update: Jun 19 02:58:39 2012 GMT
…
In this example you see that the client is requesting the servers OCSP response, you then see the server providing that response successfully and openssl determining the servers certificate is good.
For another example we can query the US Mint’s website for an example of a site that has not yet (and probably won’t for some time since it’s a government site) configured OCSP stapling:
openssl s_client -connect www.usmint.gov:443 -tls1 -tlsextdebug -status
Loading ‘screen’ into random state – done
CONNECTED(0000017C)
OCSP response: no response sent
….
Hope this helps you deploy OCSP Stapling successfully.
Ryan
Recent Comments