Speeding up TLS connections for haproxy with OCSP / 2020-10-14

2020-10-14 Speeding up TLS connections for haproxy with OCSP 1 week ago
Encrypt all the things meme On my to-do list was the idea to look at OCSP stapling for haproxy. OCSP is Online Certificate Status Protocol which wraps the revocation status of a certificate in the certificate negotiation. This speeds up the TLS setup a bit since the client doesn't have to make an extra connection to the OCSP responder of the certificate issuer and it adds a bit of privacy because the certificate issuer doesn't see which client requests the status of a certificate.

Finding the right way to get the ocsp updates to haproxy was a bit of work, eventually made some modifications to the script in HAProxy OCSP stapling. I also used the remarks in OCSP stapling with HAProxy. From pitfall to euphoria because I saw the "OCSP single response: Certificate ID does not match any certificate or issuer" error message. I had to restart haproxy first to make it enable ocsp processing (because now each server certificate has its own .ocsp file) and now it accepts the "set ssl ocsp-response" command.

Update: I'm not completely happy yet: after a certificate was renewed haproxy complained about the .ocsp file being out of date. Which is fully correct, since that .ocsp file was about a previous version of the certificate. This needs more work. Ideally I would check the validity of the .ocsp file before deciding to renew it. And fetch the new ocsp data before reloading a renewed certificate.

Anyway, the 'TLS setup' part of connecting to sites like idefix.net goes from 20-21 milliseconds to 5-8 milliseconds. Not a blinding fast improvement but all bits help and I like to have optimal security and privacy.

Update: Some more Makefile magic for reloading certificates.
ocspstatusfiles := $(wildcard /etc/haproxy/ssl/webserver-*.pem.ocsp)

/etc/haproxy/ssl/certificate-stamp: $(ocspstatusfiles)
        /usr/sbin/service haproxy reload
        touch $@

/etc/haproxy/ssl/%.pem: /etc/haproxy/ssl/%.key /home/dehydrated/remotemanaged/%.crt
        /usr/local/bin/checkcert $^
        cat $^ > $@

/etc/haproxy/ssl/%.pem.ocsp: /etc/haproxy/ssl/%.pem
        /usr/local/bin/haproxy-ocsp-maker $^
And haproxy-ocsp-maker is a smaller script that just creates the .ocsp file for a .pem certificate file. It doesn't notify haproxy, because haproxy isn't aware of the new certificate at that moment, that will come in the next reload.

Tags: , , ,

, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated in 0.004706 seconds.