Jan. 09, 2017
The NetScaler implementation of CRL and OCSP reports the revocation status of client certificates only. To check the revocation status of a server certificate received during an SSL handshake, a client must send a request to a certificate authority.
For web sites with heavy traffic, many clients receive the same server certificate. If each client sent a query for the revocation status of the server certificate, the certificate authority would be inundated with OCSP requests to check the validity of the certificate.
To avoid unnecessary congestion, the NetScaler appliance now supports OCSP stapling. That is, the appliance can now send the revocation status of a server certificate to a client, at the time of the SSL handshake, after validating the certificate status from an OCSP responder. The revocation status of a server certificate is "stapled" to the response the appliance sends to the client as part of the SSL handshake. To use the OCSP stapling feature, you must enable it on an SSL virtual server and add an OCSP responder on the appliance.
NetScaler appliances support OCSP stapling as defined in RFC 6066.
OCSP stapling is supported only on the front-end of NetScaler appliances.
NetScaler support for OCSP stapling is limited to handshakes using TLS protocol version 1.0 or higher. This feature is not supported in a cluster setup.
During the SSL handshake, when a client requests the revocation status of the server certificate, the NetScaler appliance first checks its local cache for an entry for this certificate. If an entry is found and is still valid, it is evaluated, and the server certificate and its status are presented to the client. If a revocation status entry is not found, the appliance sends the certificate to the client without the status, sends a request for the revocation status of the server certificate to the OCSP responder, and stores the response in its local cache until the nextUpdate time of the OCSP response. If the nextUpdate field is not present, the response is cached for the configured length of time.
The revocation status of a server certificate might not be available when a client initially requests a server certificate, for two reasons. Either the appliance sent a request but is still waiting for a response from the OCSP responder, or the server certificate status information on the appliance has expired and the appliance has to send a fresh request to the OCSP responder.
Configuring OCSP stapling involves enabling the feature and configuring OCSP. To configure OCSP, you must add an OCSP responder, bind the OCSP responder to a CA certificate, and bind the certificate to an SSL virtual server.
As soon as you enable OCSP stapling, the NetScaler appliance sends a request to the OCSP responder, for the revocation status of the server certificate that is bound to the SSL virtual server. Upon receiving the response, the appliance caches it until the nextUpdate time of the OCSP response. If the nextUpdate field is not present, the response is cached for a user-specified period. This status is sent to the client during the SSL handshake.
To enable OCSP stapling by using the NetScaler command line
At the command prompt, type:
set ssl vserver <name> -ocspstapling [ENABLED | DISABLED]
> set ssl vserver vip1 -ocspStapling ENABLED
> sh ssl vserver vip1
Advanced SSL configuration for VServer vip1:
DH Private-Key Exponent Size Limit: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0
Session Reuse: ENABLED Timeout: 120 seconds
Cipher Redirect: DISABLED
SSLv2 Redirect: DISABLED
ClearText Port: 0
Client Auth: DISABLED
SSL Redirect: DISABLED
Non FIPS Ciphers: DISABLED
OCSP Stapling: ENABLED
SSLv2: DISABLED SSLv3: DISABLED TLSv1.0: ENABLED TLSv1.1: ENABLED TLSv1.2: ENABLED
Push Encryption Trigger: Always
Send Close-Notify: YES
ECC Curve: P_256, P_384, P_224, P_521
1) CertKey Name: server_certificate1 Server Certificate
1) Cipher Name: DEFAULT
Description: Default cipher list with encryption strength >= 128bit
To enable OCSP stapling by using the NetScaler GUI
An OCSP responder can be dynamically added (in the case of an internal responder) on the basis of the OCSP URL in the server certificate, or an OCSP responder can be manually added from the NetScaler CLI or GUI.
To dynamically create an internal OCSP responder, the appliance needs the following:
An internal OCSP responder cannot be removed (deleted) or unbound from the virtual server. To remove an internal OCSP responder, you must remove the issuer or the server certificate.
To configure OCSP by using the command line interface
At the command prompt, type the following commands to configure OCSP and verify the configuration:
add ssl certkey root_ca1 –cert root_cacert.pem
add ssl ocspResponder ocsp_responder1 -url "http:// www.myCA.org:80/ocsp/" -cache ENABLED -cacheTimeout 30 -resptimeout 100 -responderCert responder_cert -producedAtTimeSkew 300 -signingCert sign_cert -insertClientCert YES
bind ssl certKey root_ca1 -ocspResponder ocsp_responder1 -priority 1
sh ocspResponder ocsp_responder1
URL: http://www.myCA.org:80/ocsp/, IP: 220.127.116.11
Caching: Enabled Timeout: 30 minutes
Batching: 8 Timeout: 100 mS
HTTP Request Timeout: 100mS
Request Signing Certificate: sign_cert
Response Verification: Full, Certificate: responder_cert
ProducedAt Time Skew: 300 s
Nonce Extension: Enabled
Client Cert Insertion: Enabled
show certkey root_ca1
Name: root_ca1 Status: Valid, Days to expiration:8907
1) OCSP Responder name: ocsp_responder1 Priority: 1
To modify OCSP by using the command line interface
You cannot modify the name of an OCSP responder, but you can use the set ssl ocspResponder command to change any of the other parameters.
At the command prompt, type the following commands to set the parameters and verify the configuration:
To configure OCSP by using the configuration utility