Cannot enable OCSP stapling

MonkeyZeus

5/30/24, 6:33 PM

Windows Server 2022
Apache x64 2.4.57
OpenSSL 3.0.8

My Apache SSL conf has this:

SSLUseStapling On
SSLStaplingCache "shmcb:${SRVROOT}/logs/ssl_stapling(65536)"
SSLStaplingStandardCacheTimeout 3600
SSLStaplingErrorCacheTimeout 600

But https://entrust.ssllabs.com/ reports this:

Is there some setting I am missing?

1 + 0

ssl

openssl

ocsp

apache-2.4

Score:3

Server

Steffen Ullrich

5/30/24, 7:15 PM

In the images the properties of the certificate are shown. OCSP Must Staple is a property of the certificate, i.e. that the certificate should only be used together with OCSP stapling - see here for more information on this and how to create such certificates.

The configuration of the server you show instead shows how to make OCSP stapling work with the Apache web server. It does not affect the OCSP Must Staple property of the certificate and thus does not affect the display of the certificate properties either. But if you use a certificate with this property and don't have OCSP stapling enabled in the web server, then the TLS handshake will fail if the client enforces this certificate property.

+ 1

MonkeyZeus

5/31/24, 12:05 PM

Excellent answer, thank you. I was beginning to suspect that this had something to do with the certificate itself. I wish https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslusestapling had even a small sentence stating this relationship between the Apache directive and the cert.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Cannot enable OCSP stapling

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.