Confirmed users
529
edits
Security/Server Side TLS: Difference between revisions
no edit summary
No edit summary |
|||
| Line 153: | Line 153: | ||
-----END DH PARAMETERS----- | -----END DH PARAMETERS----- | ||
</source> | </source> | ||
== OCSP Stapling == | |||
When connecting to a server, clients should verify the validity of the server certificate using either a Certificate Revocation List (CRL), or an Online Certificate Status Protocol (OCSP) record. The problem with CRL is that the lists have grown huge and take forever to download. OCSP is much more lightweight, as only one record is retrieved at a time. But the side effect is that OCSP requests must be made to a 3rd party OCSP responder when connecting to a server, which adds latency and potential failures. | |||
The solution is to allow the server to send the OCSP record during the TLS handshake, therefore bypassing the OCSP responder. This mechanism saves a roundtrip between the client and the OCSP responder, and is called OCSP Stapling. | |||
The location of the OCSP responder is taken from the Authority Information Access field of the signed certificate: | |||
<pre> | |||
Authority Information Access: | |||
OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca | |||
</pre> | |||
== Supported ciphers on various systems == | == Supported ciphers on various systems == | ||