Enabling OCSP stapling on IIS SNI-enabled siteRSS

3 replies

Last post Sep 27, 2016 08:20 AM by Jean Sun

  • Enabling OCSP stapling on IIS SNI-enabled site

    Sep 02, 2016 11:07 PM|franzom|LINK

    If Require Server Name Indication is checked on the binding of an IIS site, OCSP stapling is disabled for the site.

    This is easily confirmed by enabling SNI for a site that currently doesn't require it, and checking using https://www.ssllabs.com/ssltest/ or openssl:

    openssl s_client -connect foobar.com:443 -servername foobar.com -tls1 -tlsextdebug -status

    Does anyone have a workaround for this so that clients of SNI-enabled sites can enjoy the benefits of OCSP stapling?

  • Re: Enabling OCSP stapling on IIS SNI-enabled site

    Sep 05, 2016 09:46 AM|Yuk Ding|LINK

    Hi franzom,

    According to the blog https://unmitigatedrisk.com/?p=95, we could know that the OCSP stapling is enabled by default while you do not even know it. Besides, you need to allow your webserver to communicate with the OCSP responder before it works.

    Best Regards,

    Yuk Ding

    Yuk Ding

    MSDN Community Support
    Please remember to "Mark as Answer" the responses that resolved your issue.
  • Re: Enabling OCSP stapling on IIS SNI-enabled site

    Sep 12, 2016 08:36 PM|franzom|LINK

    Thanks Yuk, but your answer is unhelpful.

    Try it yourself!

    1. Set up a site without SNI ticked

    2. Confirm that OCSP stapling is working.

    3. Tick SNI

    4. See that OCSP stapling is no longer working.

  • Re: Enabling OCSP stapling on IIS SNI-enabled site

    Sep 27, 2016 08:20 AM|Jean Sun|LINK

    Hi franzom,

    It seems that you can't use SNI and OCSP stapling at the same time.

    OCSP Stapling is supported by default since Windows Server 2008.  There is no need to enable it manually anywhere.  The thing you should know is that OCSP stapling works ONLY for the primary certificate for the IP address and domain name a certificate is issued for/pointed to.

    After a certificate is installed, you need to explicitly tell the server that the certificate you would like to have OCSP stapling configured for, does not require Server Name Indication (SNI).

    Picked from : https://www.namecheap.com/support/knowledgebase/article.aspx/9602/0/ocsp

    Best Regards,

    Jean

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.