Testing OCSP Stapling

So you have configured OCSP stapling and you want know if it’s actually working, it’s easy enough to check using the openssl  s_client command:

openssl s_client -connect login.live.com:443 -tls1  -tlsextdebug  -status

Loading ‘screen’ into random state – done


TLS server extension “status request” (id=5), len=0


OCSP response:


OCSP Response Data:

OCSP Response Status: successful (0x0)

Cert Status: good

This Update: Jun 12 02:58:39 2012 GMT

Next Update: Jun 19 02:58:39 2012 GMT

In this example you see that the client is requesting the servers OCSP response, you then see the server providing that response successfully and openssl determining the servers certificate is good.

For another example we can query the US Mint’s website for an example of a site that has not yet (and probably won’t for some time since it’s a government site) configured OCSP stapling:

openssl s_client -connect www.usmint.gov:443 -tls1  -tlsextdebug  -status

Loading ‘screen’ into random state – done


OCSP response: no response sent


Hope this helps you deploy OCSP Stapling successfully.


7 thoughts on “Testing OCSP Stapling

  1. Pingback: Measuring OCSP Responder Performance with Powershell

  2. Pingback: Priming the OCSP cache in Nginx

  3. Mike

    You can put an:

    echo QUIT | openssl …

    on the front and immediately send a QUIT down the channel to avoid all the un-necessary traffic and just deal with the certificate.

  4. John

    Searching 1 hour for a way to test my server OCSP setting, glad to find your article.

    Reply to aaa, you cannot add “http://” before the domain or it fails.
    I have tried openssl s_client -connect https://en.dictpedia.org -tls1 -tlsextdebug -status
    getaddrinfo: Servname not supported for ai_socktype

    openssl s_client -connect en.dictpedia.org:443 -tls1 -tlsextdebug -status
    This command works good.


Leave a Reply

Your email address will not be published. Required fields are marked *