9 thoughts on “Testing OCSP Stapling”

1. Pingback: Measuring OCSP Responder Performance with Powershell

2. Pingback: Priming the OCSP cache in Nginx

3. aaa January 27, 2015 at 11:34 am

   it worked
   openssl s_client -connect http://www.usmint.gov:443 -tls1 -tlsextdebug -status

   Reply ↓
4. Mike September 14, 2015 at 4:27 am

   You can put an:

   echo QUIT | openssl …

   on the front and immediately send a QUIT down the channel to avoid all the un-necessary traffic and just deal with the certificate.

   Reply ↓
5. Ankit April 20, 2016 at 10:08 pm

   How to test for multiple OCSP stapled message using tls extension “status_request_v2”

   Reply ↓
   1. rmhrisk Post authorApril 20, 2016 at 10:10 pm

      Does anything support it?

      Reply ↓
6. John February 15, 2017 at 11:13 am

   Searching 1 hour for a way to test my server OCSP setting, glad to find your article.

   Reply to aaa, you cannot add “http://” before the domain or it fails.
   I have tried openssl s_client -connect https://en.dictpedia.org -tls1 -tlsextdebug -status
   Result:
   getaddrinfo: Servname not supported for ai_socktype
   connect:errno=0

   openssl s_client -connect en.dictpedia.org:443 -tls1 -tlsextdebug -status
   This command works good.

   Reply ↓
7. Ramon June 1, 2021 at 3:38 am

   you might want to use “-tls1_2” instead if your system does not support TLS 1.0 anymore (which is good).

   Reply ↓
8. Howard Xie August 11, 2021 at 9:19 pm

   Thank you for this great post, however, from I can see, we are verifying that “OCSP” is working — i.e. the server is making a call to OCSP responder and getting the revocation status back. On the other hand, I’m not sure if this is suffice that “OCSP stapling” is working — i.e. the server ought to cache the OCSP status for some time.

   How do I verify the “stapling” part ? Many thanks.

   Reply ↓