Ping a Specific Port

Question

franzo

Asked: 2016-09-03 14:39:14 +0800 CST2016-09-03 14:39:14 +0800 CST 2016-09-03 14:39:14 +0800 CST

Enabling OCSP stapling on IIS SNI-enabled site

772

If Require Server Name Indication is checked on the binding of an IIS site, OCSP stapling is disabled for the site.

This is easily confirmed by enabling SNI for a site that currently doesn't require it, and checking using https://www.ssllabs.com/ssltest/ or openssl:

openssl s_client -connect foobar.com:443 -servername foobar.com -tls1 -tlsextdebug -status

Does anyone have a workaround for this so that clients of SNI-enabled sites can enjoy the benefits of OCSP stapling?

2 Answers

Voted

Jim Wolff · Answer 1 · 2018-08-15T22:11:38+08:00

According to Microsoft this behavior is disabled by default, because of potential performance issues.

To enable OCSP stapling for SNI and CCS bindings, locate the following registry subkey: "EnableOcspStaplingForSni"=dword:00000001 under Registry path: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]

Powershell snippet:

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\" -Name "EnableOcspStaplingForSni" -PropertyType DWord -Value 1

Microsoft reference article, the article concerns windows 2012 server, i have tested this, and it is still relevant for 2016 aswell.

OCSP stapling

Online Certificate Status Protocol (OCSP) stapling enables a web server, such as Internet Information Services (IIS), to provide the current revocation status of a server certificate when it sends the server certificate to a client during the TLS handshake. This feature reduces the load on OCSP servers because the web server can cache the current OCSP status of the server certificate and send it to multiple web clients. Without this feature, each web client would try to retrieve the current OCSP status of the server certificate from the OCSP server. This would generate a high load on that OCSP server.

By default, OCSP support is enabled for IIS websites that have a simple secure (SSL/TLS) binding. However, this support is not enabled by default if the IIS website is using either or both of the following types of secure (SSL/TLS) bindings:

Require Server Name Indication

Use Centralized Certificate Store

In this case, the server hello response during the TLS handshake won't include an OCSP stapled status by default. This behavior improves performance: The Windows OCSP stapling implementation scales to hundreds of server certificates. Because SNI and CCS enable IIS to scale to thousands of websites that potentially have thousands of server certificates, setting this behavior to be enabled by default may cause performance issues.

Note Enabling this registry key has a potential performance impact.

Andrei · Answer 2 · 2017-10-14T13:38:01+08:00

Best Answer

Andrei

2017-10-14T13:38:01+08:002017-10-14T13:38:01+08:00

Create a DWORD reg value EnableOcspStaplingForSni under HKLM\System\CurrentControlSet\Control\SecurityProviders\Schannel\ and set it to a non-zero value.

2

Enabling OCSP stapling on IIS SNI-enabled site

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?