IIS ocsp stapling – no response

iisocsp

I have a certificate that is configured in IIS in windows server 2012 with ocsp_uri.

When I test the server for oscp stapling there is no response:

openssl s_client -connect example.com:443 -tls1 -tlsextdebug -status

OCSP response: no response sent

From the server when I test the access to ocsp responder with:

openssl ocsp -issuer sub.class1.server.ca.pem -cert ssl.crt -text -url http://ocsp.startssl.com/sub/class1/server/ca -header "HOST" "ocsp.startssl.com"

I get a response. (the request need to be http/1.1)

How can I check why the ocsp stapling is not being returned by IIS?

Best Answer

Is there an OCSP Responder URL coded in the "Authority Information Access (AIA)" field, where the “Access Method” is “On-line Certificate Status Protocol”? This was a requirement in earlier versions of IIS for OCSP Stapling to work. The other stipulation was to ensure there is no firewall or the firewall is configured to allow outgoing OCSP requests from the server, to the OCSP Responder.

Related Solutions

Iis – Why is IIS 7.5 seeing some requests as HTTP/1.0

This is because of old proxy servers who convert http 1.1 to http 1.0. disable NO_COMPRESSION_10. see Need help with some IIS7 web.config compression settings

Nginx – OCSP validation – unable to get local issuer certificate

Those two errors was unrelated although the error message was same.

[...]SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 [...] Start Time: 1411583991 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate)

Above error was issued openssl_client command. As explained by Florian Heigl, you get this error because the openssl_client need the Globalsign Root cert in /etc/ssl/certs.

OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:unable to get local issuer certificate) while requesting certificate status, responder: gv.symcd.com

For this error, it was issued by nginx ocsp routine, especially when you add ssl_stapling_verify on; line in nginx.conf.

Here some excerpt from the documentation of ssl_stapling_verify to explain why it throws the error

Syntax: ssl_stapling_verify on | off;

Enables or disables verification of OCSP responses by the server.

For verification to work, the certificate of the server certificate issuer, the root certificate, and all intermediate certificates should be configured as trusted using the ssl_trusted_certificate directive.

In other words, you need provide (2) Intermediate CA Bundle (RapidSSL SHA256 CA - G3) and (3) Intermediate CA Bundle (GeoTrust Global CA) to ssl_trusted_certificate directive.

cat GeoTrustGlobalCA.crt rapidsslG3.crt > ocsp-chain.crt

and add ocsp-chain.crt to ssl_trusted_certificate directive.

Best Answer

Related Solutions

Iis – Why is IIS 7.5 seeing some requests as HTTP/1.0

Nginx – OCSP validation – unable to get local issuer certificate

Related Topic