protocol tls server ocsp-stapling
Configures Online Certificate Status Protocol (OCSP) stapling on the server. OCSP is an alternative approach to obtain certificate status from the OCSP servers instead of the origin server’s Public Key Infrastructure (PKI).
OCSP is used in SSL simplification. SSL simplification is a method of TLS optimization using an SSL agent. SSL simplification provides zero-touch certificate management for clients that have a Client Accelerator installed. This feature requires RiOS 9.12 or later on the client-side and server-side SteelHeads and Client Accelerator 6.2.2 or later on each client endpoint. For details on configuring SSL simplification and TLS optimization, see the SteelHead User Guide and the Client Accelerator User Guide.
Syntax
[no] protocol tls server ocsp-stapling [off | strict | strict_aia | loose]
Parameters
off | Disables OCSP if it has been enabled. By default, OCSP is disabled. |
strict | If the origin server does not support OCSP, the connection is bypassed (dropped, not optimizable). |
strict_aia | If the certificate included an Authority Information Access (AIA) field but the origin server failed to send an OCSP response, the connection is bypassed. If the certificate did not include an AIA field and the origin server failed to send an OCSP response, the connection is not dropped because the server-side SteelHead does not expect an OCSP response. |
loose | If the origin server does not support OCSP, the connection is not dropped. |
Usage
When you enable TLS optimization, the old SSL blade and the new TLS blade are active in the SteelHead and Client Accelerator. TLS optimization is activated only when it is enabled on both SteelHead peers and the Client Accelerator (or the Client Accelerator and the SteelHead). Otherwise, the old SSL blade will continue to be used.
The no command option configures the system to not use TLS renegotiation.
Example
amnesiac (config) # protocol tls server ocsp-stapling strict
Product
SteelHead CX
Related Commands