In previously published guide we talked about basic steps to enable OCSP Stapling on Apache. That is the maximum you’ll get on most of the websites on this earth. It is not abnormal to face odd error with OCSP Stapling. Most websites advice to fix them somehow. Here is a complete guide on Apache 2.4 OCSP Stapling optimization & error prevention.
Apache 2.4 OCSP Stapling Error Prevention
You must give attention to /var/log/apache2/error.log or whatever your error log file location is. Additionally you should regularly check the front end pages. Many modules are often not enabled. At this moment, the required modules has no bug for Ubuntu 2.4 but needs proper installation. Under next subheader we are describing optimisation which automatically will fix most common errors which commonly are not properly configured.
Apache 2.4 OCSP Stapling Optimization
This is an example virtual host file with OSCP Stapling and other modern things :
---
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 | <IfModule mod_ssl.c> SSLCryptoDevice dynamic SSLStaplingCache shmcb:/etc/apache2/stapling_cache(256000) SSLSessionCache shmcb:/etc/apache2/ssl_gcache_data_shmcb(1024000) ## SSLSessionCache dbm:/etc/apache2/ssl_gcache_data_dbm SSLSessionCacheTimeout 300 Mutex file:/etc/apache2/ ssl-cache SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLPassPhraseDialog builtin <VirtualHost *:443> ServerName example.org ProtocolsHonorOrder On Protocols http/1.1 h2 ServerAdmin admin@example.org DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLCertificateFile /etc/ssl/private/public.crt SSLCertificateKeyFile /etc/ssl/private/private.key SSLCertificateChainFile /etc/ssl/private/intermediate.crt SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem" SSLOCSPEnable on SSLUseStapling on SSLOCSPResponseMaxAge 900 SSLOCSPResponseTimeSkew 300 SSLStaplingReturnResponderErrors off SSLStaplingErrorCacheTimeout 60 SSLOpenSSLConfCmd ECDHParameters secp384r1 SSLOpenSSLConfCmd Curves secp521r1:secp384r1 Header always set Strict-Transport-Security "max-age=31536000; includeSubDomainsi; preload" Header always set X-Content-Type-Options nosniff Header always set X-Frame-Options SAMEORIGIN Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure Header always set Public-Key-Pins 'pin-sha256="snqzW9Bwdb/++vjcA36+kbP/qaVMmnB9ckuI3qAkihQ="; pin-sha256="BJKSF/6L2QXz4xK6MVj2RTiyPlFzQx3NcpuxnuqdABk="; max-age=5184000; includeSubDomains' Header set X-XSS-Protection "1; mode=block" Header set Expect-CT "enforce; max-age=3600" Header set Referrer-Policy "origin" FileETag None Header add Link "</wp-content/plugins/crayon-syntax-highlighter/js/min/crayon.min.js>; rel=preload; as=script; x-http2-push-only" Include /etc/letsencrypt/options-ssl-apache.conf <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/html> Options FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all </Directory> </VirtualHost> </IfModule> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet |
You can see that there are lot of directives related to OSCP Stapling and cache. shmcb and dbm are two keywords which many has not much idea. On Apache, primary modules involved in key-value caching are mod_socache_dbm, mod_socache_dc, mod_socache_memcache, mod_socache_shmcb, and supporting modules are mod_authn_socache,mod_ssl.
mod_socache_dbm backend uses a file-based key-value store. This can suffer from some memory leaks. mod_socache_shmcb is better. mod_socache_shmcb is possibly the best option for key-value caching. mod_socache_dc has not been updated in last 13 years. You can see the commented out line in the above configuration :
1 | ## SSLSessionCache dbm:/etc/apache2/ssl_gcache_data_dbm |
We kept for you to test. You can see in the config OSCP and OSCP stapling related directives :
1 2 3 4 5 6 | SSLOCSPEnable on SSLUseStapling on SSLOCSPResponseMaxAge 900 SSLOCSPResponseTimeSkew 300 SSLStaplingReturnResponderErrors off SSLStaplingErrorCacheTimeout 60 |
Usually the above mentioned modules are either not installed or not activated. Run this command :
1 | a2enmod authz_core authz_host access_compat socache_shmcb slotmem_shm socache_dbm |
On already enabled system, response will be :
1 2 3 4 5 6 7 8 9 10 11 | shmcb slotmem_shm socache_dbm Module authz_core already enabled Considering dependency authz_core for authz_host: Module authz_core already enabled Module authz_host already enabled Considering dependency authn_core for access_compat: Module authn_core already enabled Module access_compat already enabled Module socache_shmcb already enabled Module slotmem_shm already enabled Module socache_dbm already enabled |
Apache has huge documentation :
1 | https://httpd.apache.org/docs/trunk/socache.html |
With configuration like we gave example, run :
1 2 | apachectl -t sudo systemctl restart apache2.service |
You should not receive error and there will be marginal optimisation of page loading speed.
Tagged With ocsp stapling not enabled apache