From 8a9f7247d452b4bd4fe3279ee75728a2d0bbd320 Mon Sep 17 00:00:00 2001 From: Waldemar Quevedo Date: Wed, 16 Jun 2021 13:44:10 -0700 Subject: [PATCH 1/4] Add notes on configuration of OCSP --- nats-server/configuration/ocsp.md | 83 +++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 nats-server/configuration/ocsp.md diff --git a/nats-server/configuration/ocsp.md b/nats-server/configuration/ocsp.md new file mode 100644 index 0000000..b628292 --- /dev/null +++ b/nats-server/configuration/ocsp.md @@ -0,0 +1,83 @@ +# OCSP Stapling + +_Supported since NATS Server version 2.3_ + +[OCSP Stapling](https://en.wikipedia.org/wiki/OCSP_stapling) is honored by default for certificates that have +the [status_request Must-Staple flag](https://datatracker.ietf.org/doc/html/rfc6961). + +When a certificate is configured with OCSP Must-Staple, the NATS Server will fetch staples from the configured OCSP responder URL +that is present in a certificate. For example, given a certificate with the following configuration: + +``` +[ ext_ca ] +... +authorityInfoAccess = OCSP;URI:http://ocsp.example.net:80 +tlsfeature = status_request +... +``` + +The NATS server will make a request to the OCSP responder to fetch a new staple which will be then presented to +any TLS connection that is accepted by the server during the TLS handshake. + +OCSP Stapling can be explicitly enabled or disabled in the NATS Server by setting the following flag in the NATS configuration file: + +```hcl +ocsp: false +``` + +**Note**: When OCSP Stapling is disabled, the NATS Server will not request staples even if the certificate has +the Must-Staple flag. + +## Advanced configuration + +By default, the NATS Server will be running in OCSP `auto` mode. In this mode the server will only fetch +staples when the Must-Staple flag is configured in the certificate. + +There are a other different OCSP modes that control the behavior on whether OCSP should be enforced and server +should shutdown if the cert runs with a revoked staple: + +| Mode | Description | Server shutdowns when revoked | +| --------- | ---- | ----- | +| auto | Enables OCSP Stapling when it has the must staple/status_request flag | No | +| must | Enables OCSP Staping when it has the must staple/status_request flag | Yes | +| always | Enables OCSP Stapling for all certificates | Yes | +| never | Disables OCSP Stapling even if must staple flag is present (same as `ocsp: false` | No | + +For example, in the following configuration OCSP, the mode is set to `must`. This means that staples will be fetched only for certificates +that have the Must-Staple flag enabled as well, but in case of revokation the server will shutdown rather than run with a revoked staple. +In this configuration, the `url` will also override OCSP responder URL that may have been configured in +the certificate. + +```hcl +ocsp { + mode: must + url: "http://ocsp.example.net" +} +``` + +In case staples are always required regardless of the configuration of the certificate, then this can be enforced as follows: + +```hcl +ocsp { + mode: always + url: "http://ocsp.example.net" +} +``` + +## Caching of staples + +When a `store_dir` is configured in the NATS Server, the directory will be used to cache staples on disk +to allow the server to resume in case of restarts without having to make another request to the OCSP responder +in case the staple is still valid. + +```hcl +store_dir: "/path/to/store/dir" +tls { + cert_file: "configs/certs/ocsp/server-status-request-url.pem" + key_file: "configs/certs/ocsp/server-status-request-url-key.pem" + ca_file: "configs/certs/ocsp/ca-cert.pem" + timeout: 5 +} +``` + +If JetStream is enabled, then the same `store_dir` will be reused and disk caching will be automatically enabled. From 9cd2de879513c6462e4f0e1e42698a3ae4f0c221 Mon Sep 17 00:00:00 2001 From: Ginger Collison Date: Wed, 16 Jun 2021 16:31:17 -0500 Subject: [PATCH 2/4] syntax & grammar review --- nats-server/configuration/ocsp.md | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/nats-server/configuration/ocsp.md b/nats-server/configuration/ocsp.md index b628292..1899552 100644 --- a/nats-server/configuration/ocsp.md +++ b/nats-server/configuration/ocsp.md @@ -16,7 +16,7 @@ tlsfeature = status_request ... ``` -The NATS server will make a request to the OCSP responder to fetch a new staple which will be then presented to +The NATS server will make a request to the OCSP responder to fetch a new staple which will then be presented to any TLS connection that is accepted by the server during the TLS handshake. OCSP Stapling can be explicitly enabled or disabled in the NATS Server by setting the following flag in the NATS configuration file: @@ -28,24 +28,24 @@ ocsp: false **Note**: When OCSP Stapling is disabled, the NATS Server will not request staples even if the certificate has the Must-Staple flag. -## Advanced configuration +## Advanced Configuration By default, the NATS Server will be running in OCSP `auto` mode. In this mode the server will only fetch staples when the Must-Staple flag is configured in the certificate. -There are a other different OCSP modes that control the behavior on whether OCSP should be enforced and server -should shutdown if the cert runs with a revoked staple: +There are other OCSP modes that control the behavior as to whether OCSP should be enforced and the server +should shutdown if the certificate runs with a revoked staple: | Mode | Description | Server shutdowns when revoked | | --------- | ---- | ----- | -| auto | Enables OCSP Stapling when it has the must staple/status_request flag | No | -| must | Enables OCSP Staping when it has the must staple/status_request flag | Yes | +| auto | Enables OCSP Stapling when the certificate has the must staple/status_request flag | No | +| must | Enables OCSP Staping when the certificate has the must staple/status_request flag | Yes | | always | Enables OCSP Stapling for all certificates | Yes | -| never | Disables OCSP Stapling even if must staple flag is present (same as `ocsp: false` | No | +| never | Disables OCSP Stapling even if must staple flag is present (same as `ocsp: false`) | No | -For example, in the following configuration OCSP, the mode is set to `must`. This means that staples will be fetched only for certificates -that have the Must-Staple flag enabled as well, but in case of revokation the server will shutdown rather than run with a revoked staple. -In this configuration, the `url` will also override OCSP responder URL that may have been configured in +For example, in the following OCSP configuration, the mode is set to `must`. This means that staples will be fetched only for certificates +that have the Must-Staple flag enabled as well, but in case of revocation the server will shutdown rather than run with a revoked staple. +In this configuration, the `url` will also override the OCSP responder URL that may have been configured in the certificate. ```hcl @@ -55,7 +55,7 @@ ocsp { } ``` -In case staples are always required regardless of the configuration of the certificate, then this can be enforced as follows: +If staples are always required, regardless of the configuration of the certificate, you can enforce the behavior as follows: ```hcl ocsp { @@ -64,11 +64,11 @@ ocsp { } ``` -## Caching of staples +## Caching of Staples When a `store_dir` is configured in the NATS Server, the directory will be used to cache staples on disk to allow the server to resume in case of restarts without having to make another request to the OCSP responder -in case the staple is still valid. +if the staple is still valid. ```hcl store_dir: "/path/to/store/dir" From 71af6c9b6b79cfe0b0a2a017e688827af47c1b68 Mon Sep 17 00:00:00 2001 From: Waldemar Quevedo Date: Tue, 22 Jun 2021 10:00:42 -0700 Subject: [PATCH 3/4] Update ocsp.md --- nats-server/configuration/ocsp.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/nats-server/configuration/ocsp.md b/nats-server/configuration/ocsp.md index 1899552..6ebe31f 100644 --- a/nats-server/configuration/ocsp.md +++ b/nats-server/configuration/ocsp.md @@ -19,7 +19,7 @@ tlsfeature = status_request The NATS server will make a request to the OCSP responder to fetch a new staple which will then be presented to any TLS connection that is accepted by the server during the TLS handshake. -OCSP Stapling can be explicitly enabled or disabled in the NATS Server by setting the following flag in the NATS configuration file: +OCSP Stapling can be explicitly enabled or disabled in the NATS Server by setting the following flag in the NATS configuration file at the top-level: ```hcl ocsp: false @@ -71,7 +71,10 @@ to allow the server to resume in case of restarts without having to make another if the staple is still valid. ```hcl +ocsp: true + store_dir: "/path/to/store/dir" + tls { cert_file: "configs/certs/ocsp/server-status-request-url.pem" key_file: "configs/certs/ocsp/server-status-request-url-key.pem" From e6976fa9914133a90ac0de338a1ea52495e6e64e Mon Sep 17 00:00:00 2001 From: Ginger Collison Date: Wed, 23 Jun 2021 16:51:59 -0500 Subject: [PATCH 4/4] Add OCSP Stapling to outline --- SUMMARY.md | 1 + 1 file changed, 1 insertion(+) diff --git a/SUMMARY.md b/SUMMARY.md index b155db7..ac91f7c 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -100,6 +100,7 @@ * [Monitoring](nats-server/configuration/monitoring.md) * [MQTT](nats-server/configuration/mqtt/README.md) * [Configuration](nats-server/configuration/mqtt/mqtt_config.md) + * [OCSP Stapling](nats-server/configuration/ocsp.md) * [Subject Mapping and Traffic Shaping](nats-server/configuration/subject_mapping.md) * [System Events](nats-server/configuration/sys_accounts/README.md) * [System Events & Decentralized JWT Tutorial](nats-server/configuration/sys_accounts/sys_accounts.md)