Make SSL Connections Faster with OCSP Stapling
July 30, 2015 | Josh DeWald
If you prize security and believe milliseconds count, you’re gonna love this: MaxCDN now supports OCSP stapling, a method your users’ browsers can use to quickly and safely determine if your SSL certificate is valid. This is yet another release (remember HSTS?) that helps our customers make secure connections fast.
There have been rumors about OCSP stapling resulting in faster SSL negotiations, and we confirmed this with our own casual testing below.
How OCSP Stapling Works with MaxCDN
Without OCSP stapling enabled, browsers have to verify SSL certificates from the certificate’s vendor. With OCSP stapling enabled, browsers can verify the certificate directly from your origin server, or in this case, your zone on MaxCDN.
- MaxCDN queries your certificate vendor that responds with the status of your certificate and a digitally signed timestamp.
- When a browser connects to MaxCDN, we bundle (or “staple”) your vendor’s timestamp with the SSL certificate.
- The browser verifies the timestamp, and since it’s signed by the vendor, the browser can provide a valid status.
- The browser loads your CDN asset through a secure connection.
After MaxCDN receives the timestamp and we store it on our edges, we don’t have to query your certificate vendor again until the timestamp expires. As you can see below, steps are removed with OCSP stapling enabled on the CDN, resulting in a 20+ millisecond improvement in SSL negotiation times.
With OCSP Stapling
Browser → CDN
Browser ← CDN
Without OCSP Stapling
Browser → CDN → Certificate Vendor
Browser ← CDN ← Certificate Vendor
To test the performance benefits of OCSP stapling, we used Catchpoint to load a cached asset from our home page – before and after enabling OCSP stapling across our site. The file we used for testing was our .css file and was requested from Los Angeles.
With OCSP Stapling
Average SSL Connection Time: 27ms
Image: Catchpoint results of 3 different requests of cached .css file on MaxCDN’s homepage. OCSP Stapling is enabled on CDN.
Without OCSP Stapling
Average SSL Connection Time: 50ms
These tests indicate a 46% improvement with OCSP stapling enabled on the CDN. While 20+ milliseconds might not mean much on their own, they do mean something when bundled with other web performance best practices.
How to Enable on MaxCDN
While it’s not as simple as ticking a box and hitting save (like many of our features), enabling OCSP stapling on MaxCDN is pretty easy.
- Upload an SSL certificate. If you don’t already have one, you can purchase one through MaxCDN or buy your own.
- Upload the correct CA bundle. You must include the root and intermediate certificate files. We provided links to some CA bundles by more popular certificate vendors below.
- Purge your zone’s cache.
- Check to see if enabled properly. You can use one of the methods mentioned in the FAQ section below.
- Save users 24ms of life! If they visit your website every day for a year, you just saved em’ about 8 seconds. That’s a few tweets they could have seen while smartphone surfing, one of which could have linked to a life-changing article.
Do this through your MaxCDN control panel or API.
Does it cost extra for me to enable OCSP stapling on MaxCDN?
Where can I download my CA bundle?
It comes installed if we purchased the cert for you. However, if you bought your own cert through one of the following providers, click on the relevant link below to download it. You can also Google “[provider name] ca bundle download”.
How can I test that my certs are working properly?
Sometimes your certificates will work on the device you’re using, but not on other devices. For this reason, it’s good to do a QA check – especially for mobile devices. A good tool to use for this is webpagetest.org.
If you followed the steps for enabling OCSP stapling on MaxCDN above and you’re noticing problems on other devices, start a live chat with support. Our Speed Team will help you get everything worked out.
How do I check if OCSP Stapling is Enabled?
You can use this handy tool from SSL Labs. Or you can check with your Mac or Linux terminal. If the latter, insert this:
$ echo QUIT | openssl s_client -connect www.maxcdn.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'
If OCSP stapling is successfully enabled on your zone, you will see this:
OCSP response: ====================================== OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 2C550853C94338C91F611A258D0EB76E0309D6DA Produced At: Jul 23 08:29:57 2015 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: D1F1B576F9EEC0C10F7AFC7C3124A9C3625D7C61 Issuer Key Hash: EA4E7CD4802DE5158186268C826DC098A4CF970F Serial Number: 11218568A11500EF27D6201D94428AB54F1A Cert Status: good This Update: Jul 23 08:29:57 2015 GMT Next Update: Jul 23 20:29:57 2015 GMT
What If I can’t figure this thing out?