OCSP Stapling with wolfSSL

Did you know that wolfSSL supports OCSP Stapling (Certificate Status Request TLS Extension) described in RFC6066 and OCSP Stapling v2 (Certificate Status Request TLS Extension v2) described in RFC6961?

And what benefits can we get out of it?

Without OCSP stapling, SSL/TLS clients needs to spend extra resources on a second socket to communicate with an OCSP Responder in order to validate the server`s certificates using OCSP. Also, the OCSP Responder is likely to be hit by enormous volumes of OCSP requests if a certificate is issued to a high traffic server, introducing a significant cost for the certificate authority.

OCSP stapling allows the server to bear the resource cost involved in providing OCSP responses by appending a time-stamped OCSP response to the initial SSL/TLS Handshake, eliminating the need for clients to contact the OCSP Responder. This way, a single OCSP response can be reused util it expires, forcing the server to get a new OCSP response from the OCSP Responder.

OCSP Stapling v2 defines a new extension, “status_request_v2”, with an extended format that allows the client to indicate support for multiple status request methods.

For more details on using OCSP Stapling in wolfSSL, please refer to the wolfSSL Manual or contact us at info@wolfssl.com