OCSP-STAPLING
OCSP pre-attached to TLS handshake.
Definition
OCSP Stapling uses the TLS status_request extension with a CA-signed OCSPResponse. Benefits: no client IP leak to CA, reduced handshake latency, short-term offline operation. OCSP Must-Staple (RFC 7633) mandates its use via an X.509 extension.
Origin
OCSP RFC 2560 published June 1999 ; OCSP Stapling RFC 6066 October 2011 ; Must-Staple RFC 7633 October 2015.
Example in context
A nginx server pre-fetches the Letsencrypt OCSP response every hour and staples it into the TLS handshake.
Related terms
- CRL — legacy mechanism.