OCSP configuration

In addition to enabling Online Certificate Status Protocol (OCSP), there are a number of properties that can be configured by an application to customize the OCSP behavior.

When OCSP revocation checking is enabled, an HTTP request is sent to an OCSP responder. The request contains information to identify the certificate for which revocation status is being queried and an optional signature. The optional signature on the request is used to help the responder verify valid requests that are received from clients. Request signatures are disabled by default. The request is sent to the responder over HTTP by the GET or the POST method. Requests that are sent by the GET method enable HTTP caching. If configuration indicates that the GET method is preferred and the request is smaller than 255 bytes, the request is sent by the GET method. Otherwise, the request is sent by the POST method. The GET method is preferred by default.

After a request is sent, OCSP revocation checking blocks until a response is received from the responder or it times out. Revocation checking happens as part of the session negotiation; therefore, the session negotiation blocks while revocation checking is done. If the timeout set on the session negotiation is smaller than the OCSP timeout configured, the smaller value is used for the OCSP timeout. The OCSP timeout value defaults to 10 seconds, but can be configured by an application.

A valid response is signed and includes data to indicate the revocation status of the certificate queried. The revocation status of the certificate can be good, unknown, or revoked. The response must be signed by a certificate that meets at least one of the following requirements:
  • The signing certificate is trusted by the local certificate store.
  • The signing certificate is the certificate authority (CA) that issued the certificate to be validated.
  • The signing certificate includes a value of id-ad-ocspSigning in an ExtendedKeyUsage extension and is issued by the CA that issued the certificate in question.
The size of a response can vary. It is up to the application to determine the maximum response size allowed. By default the maximum response size that is allowed is 20480 bytes. If a response is larger than the maximum size allowed, the response is ignored and treated the same as a response that indicates unknown certificate status.

A cryptographic nonce value is a security mechanism that can be used to verify that the response received is a reply to a particular request. The nonce value, which is a random generated bit string, is computed and included as part of both the request and response. If nonce checking is enabled, the nonce value included on the response is verified with the value that is sent in the request. If the nonce values do not match, the response is ignored. Nonce checking is disabled by default.

Revocation checking can slow down session negotiation. However, caching OCSP responses allows the client to obtain revocation status from previous requests without sending the same request again. The OCSP response cache is enabled by default, but can be disabled for an application.

A proxy HTTP server can be used as an intermediate server to handle OCSP requests from cached responses, or forward requests to the configured responder. If a proxy server is configured for an application, all the OCSP requests for the application are sent to the configured server. The default proxy port is 80. A proxy server is not configured by default.

Start of changeClient sessions have the ability to request that a server session send the OCSP request for the server certificate on behalf of the client. Enabling this option on the client causes the client to send the certificate status request extension to the server. When the certificate status request extension is sent by the client and certificate status request processing is enabled on the server session, the server sends a stapled OCSP response to the client as part of session negotiation. A client session can require certificate status request processing. This means that if the server certificate has the feature extension indicating that it must staple, the server must staple an OCSP response or else the client fails session negotiation. Certificate status request processing is disabled on both client and server sessions by default.End of change

The Global Security Kit (GSKit) APIs, gsk_attribute_set_buffer(), gsk_attribute_set_numeric_value(), and gsk_attribute_set_enum(), can be used to configure OCSP with the following API attributes:
  • GSK_OCSP_URL - URL of the OCSP responder to which OCSP requests are sent
  • GSK_OCSP_ENABLE - Enable AIA checking
  • GSK_OCSP_CHECK_AIA_FIRST - Determine if OCSP URL or OCSP AIA extension checking should be done first
  • GSK_OCSP_REQUEST_SIGKEYLABEL - Certificate label of the certificate that is used to sign the OCSP request
  • GSK_OCSP_REQUEST_SIGALG - Signature algorithm that is used to generate the signature of the OCSP request
  • GSK_OCSP_RETRIEVE_VIA_GET - Method with which the OCSP request is sent
  • Start of changeGSK_HTTP_CONNECT_TIMEOUT - Number of seconds to wait for a connection to the OCSP responder to completeEnd of change
  • GSK_OCSP_TIMEOUT - Number of seconds to wait for a response from the OCSP responder
  • GSK_OCSP_MAX_RESPONSE_SIZE - Maximum response size in bytes to be accepted from the OCSP responder
  • GSK_OCSP_CLIENT_CACHE_SIZE - Enable or disable the OCSP client response cache
  • GSK_OCSP_NONCE_GENERATION_ENABLE - Send a nonce extension as part of the OCSP request
  • GSK_OCSP_NONCE_CHECK_ENABLE - Verify that the nonce extension in the OCSP response matches the one sent in the OCSP request
  • GSK_OCSP_NONCE_SIZE - Number of bytes to be used to generate the nonce value
  • GSK_OCSP_PROXY_SERVER_NAME - Server name of the proxy server to which OCSP requests are sent
  • GSK_OCSP_PROXY_SERVER_PORT - Port number of the proxy server to which OCSP requests are sent
  • Start of changeGSK_SSL_EXTN_CERTSTATUSREQ_ENABLE - Enable or disable certificate status request processing on a client or server sessionEnd of change
  • Start of changeGSK_TLS_FEATURES_EXTN_ENABLE - Indicate if certificate status request processing is required by a client session when the server's certificate includes the feature extension for must stapleEnd of change

Applications that use the integrated IBM® i SSL_ APIs or IBM i JSSE implementation do not have an interface to configure OCSP. However, any programs that use an "application ID" can enable or disable OCSP revocation checking through DCM. The default values are used for all other OCSP configuration options.