Java uses openssl to detect whether the website supports ocsp

This article brings you relevant knowledge about java. OCSP Online Certificate Status Protocol was proposed to replace CRL; modern web servers generally support OCSP. OCSP is also a standard configuration of modern web servers. Let’s take a look at it. I hope it will be helpful to everyone.

Recommended study: "java Video Tutorial"

OCSP Online Certificate Status Protocol was proposed to replace CRL. Modern web servers generally support OCSP, and OCSP is also standard for modern web servers.

But OCSP stapling is not supported by all web servers. But in real work, we may need to know the extent to which a specific website supports OCSP.

Websites that support OCSP stapling

How to determine whether a web site supports OCSP stapling?

The easiest way is to go to a third-party website to check the website’s certificate information. For example, we mentioned entrust.ssllabs.com before. By entering the corresponding website information, in the
Protocol Details section, you can find the specific information about whether the website supports OCSP stapling, as shown below:

You can see that this website has OCSP stapling enabled. But in fact, most websites in the world do not enable OCSP stapling.

So besides checking OCSP stapling on a third-party website, is there any other way?

In fact we can easily do this using the openssl artifact. Of course, the premise is that this website supports https.

Next we will explain in detail the entire process from obtaining the server's certificate to verifying whether the server supports OCSP stapling.

The website to be verified in this article is Microsoft’s official website www.squarespace.com, which is a website that supports OCSP stapling.

Get the server's certificate

To verify whether the server supports OSCP, we first need to obtain the server's certificate. You can use openssl s_client -connect provided by openssl to complete this work.

 openssl s_client -connect www.squarespace.com:443

This command will output all the content of establishing a connection, including the certificate information of the website to be accessed.

Because we only need the certificate of the website, we need to put -----BEGIN CERTIFICATE----- and -----END CERTIFICATE---- -The content between can be saved.

Then the final command is as follows:

openssl s_client -connect www.squarespace.com:443 | sed -n '/-----BEGIN/,/-----END/p' > ca.pem

Here we use a sed -n command to intercept the output starting with -----BEGIN and -----END ends the data.

Finally we got the certificate of the website.

In addition to the certificate of the website itself, the certificate of the website itself is signed by other certificates. These certificates are called intermediate certificates. We need to obtain the entire certificate chain.

Also use openssl's openssl s_client -showcerts command to obtain all certificate chains:

openssl s_client -showcerts  -connect www.squarespace.com:443 | sed -n '/-----BEGIN/,/-----END/p' > chain.pem

If you open the chain.pem file, you can find that there are two in the file Certificates, the top one is the certificate of the server itself, and the second one is the intermediate certificate used to sign the server certificate.

Get the OCSP responder address

If the certificate contains the address of the OCSP responder, you can use the following command to obtain it:

openssl x509 -noout -ocsp_uri -in ca.pem

We can get the OCSP responder address of the website Is: http://ocsp.digicert.com.

There is another way to get the address of ocsp responder:

openssl x509 -text -noout -in ca.pem

This command will output all the information of the certificate, we can see the following content:

 Authority Information Access:
                OCSP - URI:http://ocsp.digicert.com
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt

where OCSP - URI is the address of OCSP responder.

Send OCSP request

With the address of the OCSP responder, we can perform OCSP verification. In this command, we need to use the server's certificate and intermediate certificate.

The specific request command is as follows:

openssl ocsp -issuer chain.pem -cert ca.pem -text -url http://ocsp.digicert.com

We can get two parts from the output. The first part is OCSP Request Data, which is the OCSP request data:

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 521EE36C478119A9CB03FAB74E57E1197AF1818B
          Issuer Key Hash: 09262CA9DCFF639140E75867E2083F74F6EAF165
          Serial Number: 120014F1EC2395D56FDCC4DCB700000014F1EC
    Request Extensions:
        OCSP Nonce:
            04102873CFC7831AB971F3FDFBFCF3953EC5

From the request In the data, we can see the detailed OCSP request data structure, including the issuer content and OCSP nonce.

The second part is the response data. Unfortunately, we got the following request error response data:

OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: B76BA2EAA8AA848C79EAB4DA0F98B2C59576B9F4
    Produced At: Apr 30 04:36:26 2022 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: E4E395A229D3D4C1C31FF0980C0B4EC0098AABD8
      Issuer Key Hash: B76BA2EAA8AA848C79EAB4DA0F98B2C59576B9F4
      Serial Number: 0F21C13200AE502D52BBE8DFEAB0F807
    Cert Status: good
    This Update: Apr 30 04:21:01 2022 GMT
    Next Update: May  7 03:36:01 2022 GMT

In the above returned result, Cert Status: good means that the OCSP request was successful. This The website is a website that supports the OCSP protocol.

The following two lines are the time of the last update of OCSP and the time of the next update:

    This Update: Apr 30 04:21:01 2022 GMT
    Next Update: May  7 03:36:01 2022 GMT

Indicates that this website also supports OCSP stapling.

In addition, when requesting the OCSP url of some websites, you may get the following exception:

Error querying OCSP responder
4346349100:error:27FFF072:OCSP routines:CRYPTO_internal:server response error:/AppleInternal/Library/BuildRoots/66382bca-8bca-11ec-aade-6613bcf0e2ee/Library/Caches/com.apple.xbs/Sources/libressl/libressl-2.8/crypto/ocsp/ocsp_ht.c:251:Code=400,Reason=Bad Request

Why is this?

This is because the website ocsp.msocsp.com does not support the OCSP default HTTP 1.0 request. In the HTTP 1.0 request, there is no Host request header by default. So we need to add the Host request header and then execute it again.

A simpler method

Above we actually split the request and executed it step by step. We can also use openssl to perform tasks in one step as follows:

openssl s_client -tlsextdebug -status -connect www.squarespace.com:443

从输出中，我们可以看到下面的数据：

OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: B76BA2EAA8AA848C79EAB4DA0F98B2C59576B9F4
    Produced At: Apr 27 04:36:26 2022 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: E4E395A229D3D4C1C31FF0980C0B4EC0098AABD8
      Issuer Key Hash: B76BA2EAA8AA848C79EAB4DA0F98B2C59576B9F4
      Serial Number: 0F21C13200AE502D52BBE8DFEAB0F807
    Cert Status: good
    This Update: Apr 27 04:21:02 2022 GMT
    Next Update: May  4 03:36:02 2022 GMT

上面的命令直接输出了OCSP response结果，从结果中我们很清楚的看到该网站是否支持OCSP和OCSP stapling。

推荐学习：《java视频教程》

The above is the detailed content of Java uses openssl to detect whether the website supports ocsp. For more information, please follow other related articles on the PHP Chinese website!