October 9, 2018

High Performance OCSP Stapling

  OCSP, Technology, TLS


This blog post describes an existing function of our service. No change has been made to our network.

Whenever a SSL/TLS certificate is used, a client should (ideally) check to see if that certificate has been revoked. To do that, clients use the Online Certificate Status Protocol (OCSP). Briefly how it works: when a client receives a certificate, it connects to the Certificate Authority's (CA) OCSP server, and the OCSP server sends back a signed response indicating the status of the certificate. Here it is in chart form:

There are a few problems with this, but we're going to focus on two issues. The first is the performance implication: the browser needs to connect to the OCSP server and download the response, increasing the time it takes to complete the TLS handshake. There's also a privacy issue since the browser is advertising to the OCSP server of the websites it's connecting to.

To solve these two issues there's OCSP Stapling. Instead of relying on the client to get the response from the OCSP server, the web server does so instead and staples it's response to the certificate:

The client saves the connection time to the OCSP server, and it no longer needs to advertise to the OCSP server which websites it's connecting to. So problem solved?

Not at all. In the chart above, notice that the server is now making the OCSP request after receiving the ClientHello message. This is not simply for diagram purposes. It's an accurate representation of how many web servers (and some CDNs) handle OCSP Stapling. They've simply moved the performance impact from the client to the server.

To mitigate the performance impact, NuevoCloud prefetches OCSP responses and maintains a cache for each certificate on our service. Those responses are automatically updated before they expire, to ensure that an OCSP response never needs to be fetched before answering a request.

As a result, the client can connect and negotiate a connection with our edge server faster. This is just part of the work we're doing to accelerate TLS. We'll be writing more on this topic later.