🔐 OCSP Response Testing with k6

In thisUpdate, we’ll learn about Online Certificate Status Protocol (OCSP) and how to validate OCSP responses with k6.

Grafana k6 is a load testing tool for engineers that can be used on localhost, in 💚 CI pipelines or via Grafana ☁️ Cloud.

k6 supports OCSP stapling. The SSL Pulse dashboard from Qualys SSL Labs reports that 49.2% of sites surveyed support OCSP stapling.

OCSP stapling is a privacy-preserving approach to checking whether a TLS certificate has been revoked. Timestamped OCSP responses are presented by the server during the TLS 🤝 handshake.

🚀 Let’s start testing!

With the k6 executable installed, a script like the following can be used to check OCSP responses:

import http from 'k6/http';
import { check } from 'k6';

export default function () {
  const res = http.get('https://brie.dev');
  check(res, {
    'is OCSP response good': (r) => r.ocsp.status === http.OCSP_STATUS_GOOD,
  });
}

By convention, k6 load testing files have a .js extension. 🚀 Run k6 run --quiet whatever.js.

 k6 run --quiet   whatever.js

     ✓ is OCSP response good

     checks.........................: 100.00% ✓ 1         ✗ 0
     data_received..................: 30 kB   477 kB/s
     data_sent......................: 715 B   12 kB/s
...
     iterations.....................: 1       16.033349/s

I ♥️ love the various subdomains over at badssl.com for testing bad SSL configurations. Modifying the k6 script from earlier to point at revoked.badssl.com shows how test failures are reported:

# k6 --quiet run revoked.js
WARN[0000] Request Failed                                error="Get \"https://revoked.badssl.com/\": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: “revoked.badssl.com” certificate is expired"

     ✗ is OCSP OK
      ↳  0% — ✓ 0 / ✗ 1
...

📖 OCSP Terminology

A basic grasp of these concepts is recommended. These links are selected to help teach or remind the reader:

• Certificate Revocation
• OCSP Must-Staple | A certificate extension that tells the browser to expect a valid OCSP response “stapled” (included) in the handshake.
• OCSP Request | The request to determine the revocation status of an X.509 certificate. With OCSP, the request is made by the client. With OCSP stapling, the request is made by the Web server and the response is included in the handshake.
• OCSP Responder/OCSP Server | The party responsible for checking the status of the X.509 certificate with a certificate authority and sending the OCSP Response to the requester.
• OCSP Response | The response that tells the client the OCSP status and whether or not the certificate is valid.
• OCSP Stapling | Stapling improves OCSP by putting the burden of retrieving the OCSP Response on the Web server (rather than the client).

This is just an introduction: you can further improve performance by implementing a caching OCSP proxy.

📚 READmore

A few excellent articles and resources I read while writing this blog post, organized with my favorites towards the top:

• OCSP Validation with OpenSSL - a very nice article by Akshay Ranganath
• 🐞 Fetch OCSP responses on startup, and store across restarts
• ⭐️ ocsp-stapling.md - Ryan Sleevi’s notes on requirements for OCSP stapling support. ⭐️
• 😍 APNIC has a series of blog posts on OCSP stapling starting with Overcoming the limitations of OCSP.
• High-reliability OCSP stapling and why it matters
• OCSP Server for Google Cloud Certificate Service
• OCSP_resp_find_status
• RFC 2560 | X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP
• OpenSSL: Manually verify a certificate against an OCSP
• OCSP Configuration - Snowflake
• Implementing an OCSP responder: Part I - Introducing OCSP

💖 Be well, you.