Home

OCSPStapling

OCSP stapling is a technique used to improve the efficiency and privacy of certificate revocation checks in Transport Layer Security (TLS). In this approach, the web server periodically queries the certificate authority’s OCSP responder to obtain the revocation status of its TLS certificate and then sends that OCSP response to clients during the TLS handshake. This avoids clients having to contact the CA directly for revocation information, while also reducing latency and CA load.

How it works: The server caches an OCSP response for its certificate and updates it at regular

Benefits and limitations: OCSP stapling improves privacy (clients do not reveal which sites they visit to the

References: This technique is defined by standards and widely implemented in TLS stacks and servers.

intervals
before
expiry.
When
a
client
connects,
the
server
supplies
the
stapled
OCSP
response
as
part
of
the
TLS
negotiation.
The
client
can
then
verify
the
signature
and
status
contained
in
the
response
to
determine
whether
the
certificate
is
still
valid.
If
no
stapled
response
is
available
or
if
the
stapled
response
is
invalid,
the
client
may
fall
back
to
its
own
OCSP
checks
or
consider
the
certificate
status
unknown.
CA),
reduces
round-trips
and
latency,
and
decreases
CA
infrastructure
load.
It
also
helps
during
network
outages
when
the
client
cannot
reach
OCSP
responders.
Limitations
include
dependence
on
the
server’s
ability
to
fetch
and
refresh
the
stapled
response,
the
potential
for
stale
information
if
the
stapled
data
expires,
and
the
fact
that
stapling
does
not
guarantee
revocation
status
beyond
the
stapled
response’s
validity
period.
Some
clients
may
ignore
stapled
data
if
it
is
absent
or
invalid.