

OCSP Stapling: How CloudFlare Just Made SSL 30% Faster - jgrahamc
http://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30

======
reaperhulk
It's nice that they've enabled this on their servers, but it comes with some
caveats at the moment.

First, not all browsers support it. For example, no version of Firefox
supports it at this time (see:
<https://bugzilla.mozilla.org/show_bug.cgi?id=360420>).

Second, OCSP stapling was originally conceived for only the end entity cert.
This means that if the browser wants to check intermediates for revocation
that payload can't be stapled, but will still require an additional check.
There are several in progress proposals (spearheaded by Opera) to resolve
this, but it's not finalized yet. This negates some of the speed gain on
browsers that do choose to do revocation checking with this level of rigor.

But guess what, you can join the stapling party even if you aren't a
CloudFlare customer! If you're using Apache (2.3+) you can configure OCSP
stapling for your own website with the SSLUseStapling directive. nginx also
plans to support stapling with the 1.3 release (initial preview released early
this month). You can also do stapling with IIS 7.5+ on Windows.

Edit: Others have asked what browsers currently support stapling. I believe
only Opera and IE9+ (probably schannel in Win7, but possibly in Vista?) at
this time. Chrome is publicly moving away from OCSP/CRL entirely in favor of
aggregating that data themselves and pushing it down to clients via their own
infrastructure, Firefox has that open bug, and Apple's roadmap for
ocspd/securityd is obviously not known.

------
moonboots
I'm a fan of cloudflare, but I'm disappointed they didn't thank or mention
nginx in this blog post. Cloudflare uses nginx, which recently released OCSP
support thanks to sponsorship from Comodo, DigiCert, and GlobalSign [1].

[1] <http://nginx.org/en/CHANGES>

~~~
onetwothreefour
But but but, cloudflare is making SSL 30% faster!@# :)

And they're launching 30 data centers (oh wait, they're deploying some
machines in a DC...) and blah blah blah.

Sigh. Cloudflare is somewhat interesting, but very much still in the kiddie
pool of CDNs.

~~~
clone1018
It's goal isn't to be a fully featured CDN, CloudFlare is a whole suite of
tools, use what you want, if you have something better use them with
CloudFlare.

------
dmit
I wish there was a way to subscribe to just the technical posts on the
CloudFlare blog, those are always informative. As it is, I can't even find a
way to get an RSS feed for posts by particular authors.

------
jsight
Which browsers support this? I was under the impression that even the latest
version of Chrome (22) doesn't have this.

------
matthewcford
As an aside $200 per month for a CDN is pretty cheap, how are they not
charging by bandwidth used?

~~~
shimon_e
They are setup to make use of cheap/peering bandwidth.

------
gsibble
Very cool stuff. CloudFlare just keeps getting more and more awesome.

