OCSP Stapling not enabled for domains

I have a domain running on Cloudflare Pro plan, it uses Universal SSL in Full (strict) mode and has HSTS activated. Running the site through https://www.digicert.com/help/ shows OCSP Stapling as “Not Enabled”.

As for as i can tell from Cloudflare blog posts on the subject it should be enabled when running through Cloudflare.

What am i missing here?

My domains do show it as enabled. What domain are you testing?

Qualys says “yes” for my test site, but no for others. I’ll send @judge some samples.

I am testing the domain saxis.dk. it says everything works but that stapling is not enabled.

I have tested 3 other domains i administer through Cloudflare. 2 of them shows OCSP enabled and 1 other also shows Not Enabled.

i tried testing at https://www.digicert.com/help/ it is saying unable to connect. Tested another site which is saying OCSP Staple: Not Enabled

Do you have any information about this? Would upgrading to a dedicated certificate fix the problem?

And here I thought Cloudflare simply didn’t support OCSP Stapling. My sites have never had OCSP Stapling enabled for their certs, whether free or paid. I’ve two pro sites, 3 free. May we have an answer to this as the blog referenced by the OP clearly stating that OCSP is enabled by Cloudflare with no qualifications (no matter one’s level of plan/s) is 8 years old. Thank-you.

@Judge @sdayman @sandro ~ any updates on this issue, as it’s a big one. Stapling speeds up sites in addition to its security benefits. Every other CDN I’ve seen supports it. Cloudflare needs to as well.

Weird thing is that i administer 2 other domains through Cloudflare’s free plan that shows to have OSCP stapling enabled, but i have 2 others on pro plan that don’t.

Can you run this command for your domain and share the results?

echo QUIT | openssl s_client -connect INSERT-DOMAIN-HERE:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'

no result for the command.

Can you share the hostname?

CF does support OCSP stapling but looks like right now it isn’t showing up. Wonder if there’s something wrong/maintenance with Cloudflare’s OCSP pre-fetcher right now ?? @cloonan @cscharff

using this command to verify

echo QUIT | openssl s_client -connect $domain:443 -servername $domain -tls1_2 -tlsextdebug -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'

Thank-you. I very much appreciate your reply, eva2000. Hopefully you’re correct in thinking it’s a matter of maintenence.

(Attachment publicKey - [email protected] - 2ddd6b45.asc is missing)

The domain that was not working now shows OCSP Stapling enabled in the tool in the OP.

can confirm the same. Seems it was a temp issue on CF’s end I suspect ?

From Qualys for one of my domains:

OCSP stapling Yes

OCSP Must Staple No

From Mozilla’s Observatory:

OCSP Stapling:	Yes

However for sites (that I’ve tested) using only TLS1.3, OCSP Stapling is not supported, as reported by Qualys, Mozilla, & Immuniweb.

1 Like

I asked CF tech support and it’s apparent that there can be delays between OCSP response expiry and CF OCSP staple response pre-fetcher being able to cache and pre-fetch the OCSP response. So you can have intervals where CF protected domains alternate between having an OCSP response and not.