Image by Frantisek Krejci from Pixabay

OCSP Stapling with relayd

Online Certificate Status Protocol (OCSP) stapling is a standard for checking certificate revocation. Most commonly deployed on web servers using TLS and required if you’re aiming for an A+ on Qualys SSL Server Test. Even better, CloudFlare reports connection time improvement by up to 30% in some cases. [0]

The following is based on OpenBSD 6.7.

man relayd.conf

Manual page for relayd.conf states:

An optional OCSP staple file will be used during TLS handshakes with this server if it is found as a non-empty file in /etc/ssl/name:port.ocsp or /etc/ssl/name.ocsp. The file should contain a DER-format OCSP response retrieved from an OCSP server for the certificate in use, and can be created using ocspcheck(8).

Recommended deployment of relayd is to listen on 127.0.0.1 and use pf rdr-to rules to get traffic to it. This means the OCSP stapling file should be saved as: /etc/ssl/127.0.0.1:443.ocsp

Updating OCSP Staple File

OCSP staple files expire after some time requiring use of cron, or some other automated method, to update it. Thus the following shell script was created which leverages cron. It should be saved as /etc/OCSP-Update.sh and running the script once will automatically add the appropriate crontab for ~60 seconds before the OCSP staple file expires. This process of adding it’s own crontab means you can “set it and forget it!

References:
[0] https://blog.cloudflare.com/high-reliability-ocsp-stapling/