Speeding up TLS connections for haproxy with OCSP / 2020-10-14

2020-10-14 Speeding up TLS connections for haproxy with OCSP
Encrypt all the things meme On my to-do list was the idea to look at OCSP stapling for haproxy. OCSP is Online Certificate Status Protocol which wraps the revocation status of a certificate in the certificate negotiation. This speeds up the TLS setup a bit since the client doesn't have to make an extra connection to the OCSP responder of the certificate issuer and it adds a bit of privacy because the certificate issuer doesn't see which client requests the status of a certificate.

Finding the right way to get the ocsp updates to haproxy was a bit of work, eventually made some modifications to the script in HAProxy OCSP stapling. I also used the remarks in OCSP stapling with HAProxy. From pitfall to euphoria because I saw the "OCSP single response: Certificate ID does not match any certificate or issuer" error message. I had to restart haproxy first to make it enable ocsp processing (because now each server certificate has its own .ocsp file) and now it accepts the "set ssl ocsp-response" command.

Update: I'm not completely happy yet: after a certificate was renewed haproxy complained about the .ocsp file being out of date. Which is fully correct, since that .ocsp file was about a previous version of the certificate. This needs more work. Ideally I would check the validity of the .ocsp file before deciding to renew it. And fetch the new ocsp data before reloading a renewed certificate.

Anyway, the 'TLS setup' part of connecting to sites like idefix.net goes from 20-21 milliseconds to 5-8 milliseconds. Not a blinding fast improvement but all bits help and I like to have optimal security and privacy.

Update: Some more Makefile magic for reloading certificates.
httpscertificates := $(wildcard /etc/haproxy/ssl/webserver-*.pem)

/etc/haproxy/ssl/certificate-stamp: $(httpscertificates)
        /usr/sbin/service haproxy reload
        touch $@

/etc/haproxy/ssl/%.pem: /etc/haproxy/ssl/%.key /home/dehydrated/remotemanaged/%.crt
        /usr/local/bin/checkcert $^
        cat $^ > $@
        /usr/local/bin/haproxy-ocsp-maker $@

/etc/haproxy/ssl/%.pem.ocsp: /etc/haproxy/ssl/%.pem
        /usr/local/bin/haproxy-ocsp-maker $^
And haproxy-ocsp-maker is a smaller script that just creates the .ocsp file for a .pem certificate file. It doesn't notify haproxy, because haproxy isn't aware of the new certificate at that moment, that will come in the next reload.

Tags: , , ,

IPv6 check

Running test...
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites
This page generated by $Id: newsitem.cgi,v 1.62 2023/09/19 14:49:50 koos Exp $ in 0.010641 seconds.