Serving OCSP on a CDN

So last week we moved our revocation repositories behind a CDN, this has a number of great benefits but it does have downsides though, for example.

  1. Cache misses result in a slower response – About a 110ms in my tests.
  2. OCSP clients that create POSTs get a slower response – This is because they are treated like a cache miss.

Our CDN provider mitigates much he first issue by having a pre-loader that ensures its cache is pre-populated based on request history.

Addressing the second issue requires the CDN provider to be aware of OCSP protocol semantics, specifically the fact that one can compute what a GET request would look like by simply Base64 encoding the binary body of the POST variation.

A CDN with knowledge of this can optimize out the POST derived cache miss, our CDN has done this the change has not yet propagated to all of their datacenters but where it has POST performs the same as a GET.

Hopefully this optimization will have propagated to all their datacenters by next week, when this logic is fully deployed the clients that generate POST based OCSP requests (without a nonce) will also have ~100ms response times.

I should probably ad that in our case almost all of the POST based OCSP requests we receive come from Firefox and do not contain a nonce, hopefully soon Firefox will move to using GET for requests without a nonce like other clients.

5 thoughts on “Serving OCSP on a CDN

  1. Pingback: Serving OCSP POST responses on a CDN

  2. Ankit

    Hi Ryan,

    You mentioned about converting OCSP post response to GET, I am trying to simulate this behavior, Does Firefox always perform a POST response ?, how to convert the POST to GET ? converting the body of Post request to Base 64 encoding ? how ? example would be really helpful

    Reply
    1. rmhrisk Post author

      So in this case my CDN partner (CloudFlare) has some cool stuff built in, for one they use LUA to do magical automation on incoming requests; I worked with them to update their stack so that every time it sees a application/ocsp-request with a POST body to base64 encode it and plop that value on the query string before their pipeline looks up if their platform already has a cached OCSP response sitting there. Its not a ton more complicated than that but if you have any specific questions I would be glad to help — ryan dot hurst at globalsign.com

      Reply
  3. Luqman Durojaiye

    Hi Ryan
    i am Msc Student in telecommunication engineering. My research is the development of a novel key/certificate revocation mechanism suitable for mobile device. at this level of my work, i need to compare my proposed solution to OCSP revocation time. i understand how to use OpenSSL tool to send OCSP request and obtain response from OCSP responder. My challenge is how to send OCSP request and obtain a response on a mobile device. Any kind of help will be appreciated.

    Reply
    1. rmhrisk Post author

      Luqman, there is an Android application that does OCSP testing which could give you this data; absent that you will need to write your own. The largest issues in mobile is the variability in latency and availability of network connectivity. Stapling and small packets (in the case of OCSP CA signed responses) are key to working well in these cases.

      Reply

Leave a Reply to rmhrisk Cancel reply

Your email address will not be published. Required fields are marked *