TLS - Config - OCSP

Synopsis

Subsection of tls-config_tls-common.

Certificates can be verified against an OCSP Responder. This makes it possible to immediately revoke certificates without the distribution of new Certificate Revokation Lists (CRLs).

Processing Sections

Any.

Expansions

None.

Directives

enable
Syntax

enable = boolean

Default

no

Description

Enable it. The default is no. Deleting the entire ocsp subsection also disables ocsp checking.

override_cert_url
Syntax

override_cert_url = boolean

Default

yes

Description

The OCSP Responder URL can be automatically extracted from the certificate in question. To override the OCSP Responder URL set override_cert_url = yes.

softfail
Syntax

softfail = boolean

Default no

Description

Normally an error in querying the OCSP responder (no response from server, server did not understand the request, etc) will result in a validation failure. To treat these errors as soft failures and still accept the certificate, enable this option.

Warning
 this may enable clients with revoked certificates to connect if the OCSP responder is not available. Use with caution.
timeout
Syntax

timeout = integer

Default

0

Description

Number of seconds before giving up waiting for OCSP response. If enter 0, the system default will be used.

url
Syntax

url = string

DEFAULT

http://127.0.0.1/ocsp/

Description

If the OCSP Responder address is not extracted from the certificate, the URL can be defined here.

LIMITATION: Currently the HTTP Request is not sending the Host: information to the web-server. This can be a problem if the OCSP Responder is running as a vhost.

use_nonce
Syntax

use_nonce = boolean

Default

yes

Description

If the OCSP Responder can not cope with nonce in the request, then it can be disabled here. For security reasons, disabling this option is not recommended as nonce protects against replay attacks.

Note
 Microsoft AD Certificate Services OCSP Responder does not enable nonce by default.

It is more secure to enable nonce on the responder than to disable it in the query here. See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx