Optimizing SSL Security and Performance with OCSP and NetScaler

This post is about OCSP, NetScaler and SSL/TLS, how we could benefit from it and how we implement it on NetScaler.

Intro

Online Certificate Status Protocol (OCSP) is an alternative/replacement to the Certificate Revocation List (CRL) and is also a method to validate the status of a certificate.

The CRL method requires the client to download potentially large amounts of SSL Certificate revocation information, like certificate serial numbers and status of each certificate’s last publication date. One of the issues with the CRL method is that it can increase the time spent completing the SSL negotiation.

The OCSP protocol does not require the client to spend time downloading and then searching a list for certificate information. With OCSP, the client simply posts a query and receives a response from an OCSP responder about the revocation status of a certificate.

When configuring OCSP In NetScaler, OCSP reports the status of the Client Certificate only.
To check the revocation status on a Server Certificate during SSL Handshake, the client must send a request to the certificate authority OCSP Responder, or use OCSP Stapling that was introduced and supported from NetScaler 11.1 build 51.21.
OCSP Stapling enables revocation status check of the supplied Server Certificate. So that instead of having the Clients contacting the CA for Revocation Check, NetScaler sends a OCSP Request towards the e.g. CA (OCSP Responder) which then gets cached on NetScaler until NextUpdate occurs. Any subsequent OCSP Requests the NetScaler checks the Cache first before contacting the CA OCSP Responder.

Benefits and objectives

  • Increase Security
    • If certificate is revoked the connection is reset, not showing content
  • Optimize Performance
    • Delivering faster SSL/TLS Negotiation
    • Offload CA OCSP Responder, deliver from cache

OCSP Traffic flow

Illustrating the traffic flow below.

OSCP Stapling:

img-alternative-text

OCSP with Client Authentication:

img-alternative-text

OCSP Configuration steps

Via The GUI:

OCSP is configured by enabling OCSP Binding on the Intermediate CA Certificate:

img-alternative-text

Add the Responder, if the Responder URL is published in the certificate then you will see the responder already, otherwise you will have to add the OCSP Responder:

img-alternative-text

Add OCSP responder from CLI:

OSCP Stapling is a check box in SSL vServer:

img-alternative-text

Last part is to bind the Intermediate cert to CA Cert on the SSL vServer:

img-alternative-text

And choose OCSP Mandatory under CRL and OCSP Check dropdown.

Notes and requirements

  • NetScaler can communicate with OSCP Responder on HTTP via Subnet IP
  • TLS Certificate embeds OCSP extension
  • NetScaler appliances support OCSP as defined in RFC 2560
  • OCSP stapling requires TLS 1.0 and Higher.
  • NetScaler appliances support OCSP stapling as defined in RFC 6066.
  • OCSP stapling is supported only on the front-end of NetScaler appliances.
  • Support for OCSP Stapling from NetScaler 11.1 build 51.21 and later.

Troubleshooting

From Shell on NetScaler, run the following to verify OCSP statistics:

From NS CLI:

Verify configuration.

Other references

Citrix Docs:

Monitoring Certificate Status with OCSP

Citrix Docs:

Providing the Revocation Status of a Server Certificate to a Client

Leave a Reply