Jump to content


Photo

OCSP Stapling

Started by Lee Sautia , 13 August 2014 - 06:07 PM
5 replies to this topic

Lee Sautia Members

Lee Sautia
  • 1 posts

Posted 13 August 2014 - 06:07 PM

Hi All,

 

I've been looking at the Netscaler reference and I'm trying to figure out if it's possible to configure a vsever that does OCSP Stapling. Our current situation is such where the client browser incurs 50-70 msec just to confirm cert revocation status with our provider.

 

I'm looking at this documentation http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-ssl-config-ocsp-responder-tsk.html but, this sounds more like the netscaler is caching an OCSP response for some service it may proxy downstream.



Andrew Sandford Citrix Employees

Andrew Sandford
  • 1,028 posts

Posted 14 August 2014 - 07:04 AM

Hi Lee,

 

We do not support OCSP Stapling at this time.

 

You may open a product enhancement request with Citrix Support for this feature.

 

Regards,

 

Andrew



Rohit Shetty Members

Rohit Shetty
  • 2 posts

Posted 24 February 2016 - 11:39 AM

Dear All,

 

Any update on when this feature will be made available.

 

Thanks & Regards,

Rohit



Pankaj Kumar Citrix Employees

Pankaj Kumar
  • 8 posts

Posted 07 March 2016 - 04:58 PM

Dear All,

 

Any update on when this feature will be made available.

 

Thanks & Regards,

Rohit

Hi Rohit, 

 

We are developing this feature and shall be available by the end of the year.

 

Regards,

Pankaj.



Darren Bennett Members

Darren Bennett
  • 11 posts

Posted 12 October 2016 - 10:23 AM

Courtesy of Ronan O'Brien (Citrix) on the User Groups forum:  (note this is for 11.1+

The caching of the OCSP responses is part of the OCSP responder configuration, and there are only two settings:
 

1) Turn it on or off
2) How long do you want to cache the OCSP response

 

add ssl ocspResponder -url [-cache ( ENABLED | DISABLED )[-cacheTimeout ] 
 

There is nothing else you have to do! No content groups, policies etc. All that is baked into the OCSP resonder config. 

https://www.mycugc.org/p/fo/st/thread=1304

 

 

 



Claus Jan Harms Members

Claus Jan Harms
  • 5 posts

Posted 03 January 2017 - 08:01 AM

Since this feature is now available in the new NetScaler 11.1 Build 51.21 Release I tried to configure it on a SSL Content Switch but no luck so far. https://docs.citrix.com/en-us/netscaler/11-1/ssl/ssl-11-1-ocsp-stapling-solution.html

 

Either via SSL Profiles or SSL Parameters I can't seem to get it to work. Anyone else tried it yet and succeeded? 

 

I also tried playing around with the Settings of the new "INTERNAL_" OCSP Responder created for the specific Server Certificate.

 

Greetings,

Claus