Testing OCSP Stapling

So you have configured OCSP stapling and you want know if it’s actually working, it’s easy enough to check using the openssl  s_client command:

openssl s_client -connect login.live.com:443 -tls1  -tlsextdebug  -status

Loading ‘screen’ into random state – done

CONNECTED(0000017C)

TLS server extension “status request” (id=5), len=0

….

OCSP response:

======================================

OCSP Response Data:

OCSP Response Status: successful (0x0)

Cert Status: good

This Update: Jun 12 02:58:39 2012 GMT

Next Update: Jun 19 02:58:39 2012 GMT

In this example you see that the client is requesting the servers OCSP response, you then see the server providing that response successfully and openssl determining the servers certificate is good.

For another example we can query the US Mint’s website for an example of a site that has not yet (and probably won’t for some time since it’s a government site) configured OCSP stapling:

openssl s_client -connect www.usmint.gov:443 -tls1  -tlsextdebug  -status

Loading ‘screen’ into random state – done

CONNECTED(0000017C)

OCSP response: no response sent

….

Hope this helps you deploy OCSP Stapling successfully.

Ryan

9 thoughts on “Testing OCSP Stapling

  1. Pingback: Measuring OCSP Responder Performance with Powershell

  2. Pingback: Priming the OCSP cache in Nginx

  3. Mike

    You can put an:

    echo QUIT | openssl …

    on the front and immediately send a QUIT down the channel to avoid all the un-necessary traffic and just deal with the certificate.

    Reply
  4. John

    Searching 1 hour for a way to test my server OCSP setting, glad to find your article.

    Reply to aaa, you cannot add “http://” before the domain or it fails.
    I have tried openssl s_client -connect https://en.dictpedia.org -tls1 -tlsextdebug -status
    Result:
    getaddrinfo: Servname not supported for ai_socktype
    connect:errno=0

    openssl s_client -connect en.dictpedia.org:443 -tls1 -tlsextdebug -status
    This command works good.

    Reply
  5. Ramon

    you might want to use “-tls1_2” instead if your system does not support TLS 1.0 anymore (which is good).

    Reply
  6. Howard Xie

    Thank you for this great post, however, from I can see, we are verifying that “OCSP” is working — i.e. the server is making a call to OCSP responder and getting the revocation status back. On the other hand, I’m not sure if this is suffice that “OCSP stapling” is working — i.e. the server ought to cache the OCSP status for some time.

    How do I verify the “stapling” part ? Many thanks.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *