Online Certificate Status Protocol (OCSP) Stapling
We are seeing some delays in Time To First Byte because OCSP stapling is not active on Azure Web Apps SSL endpoints.
This causes our clients' browsers to call the issuing CA's endpoint before SSL negotiation can really begin.
Stapling would save the client browser from having to make an extra request to the CA checking if the certificate has been revoked.
There is also a potential privacy issue for our clients that the CA will be able to log these requests. If the web server takes care of OCSP on the other hand no requests will be sent from the client to the CA.
The wikipedia article on OCSP stapling explains things pretty well.
https://en.wikipedia.org/wiki/OCSP_stapling
Running webpagetest.org against your site with the browser set to firefox shows the OCSP calls to the CA.
Rasmus Lauridsen
shared this idea
We’ve started deploying the feature to a small set of stamps. We’ll continue to monitor the stamps for performance and validate if the feature is working as expected. Once we are confident there are no issues, we will roll out to all regions.
Thanks,
Oded
18 comments
-
Anonymous
commented
When will ocsp stapling available for custom domains? We are waiting for two years already.
-
Witali P.
commented
What is the current status for custom domains (= my official domail)?
I don't think anyone will use productive * .azurewebsites.net seriously.
This makes "Azure Web Apps" ok for development, but unsuitable for the productive system! -
P Pelzer
commented
Hello, is there an update to this?
-
Hans de Feber
commented
Hi Jenny, can you please advise when you expect the solution to be in place
-
Jenny Lawrance
commented
HI Matthew, others,
Yes, I can see that OCSP stapling is enabled for the default *.azurewebsites.net, but not custom domains. We are working on finding a solution to this. Thanks, Jenny -
Matthew Steeples
commented
As a brief follow up (while putting information together to send by email) it would appear that OCSP stapling is enabled for *.azurewebsites.net but not on custom domains
-
Matthew Steeples
commented
I'll send you an email Jenny, as our site doesn't appear to do OCSP stapling. The example you've provided for webpagetest.org is served by Fastly rather than app services
-
Anonymous
commented
Your closing it since there haven't been any comments for 8 days? Bit too soon for an idea that's already hard to find since it's age. Our business would still want this.
-
Jenny Lawrance
commented
The servers doing SSL on app service has OCSP enabled by default, and runs with all latest patches.
So, I'm confused that this is being reported as an issue. I ran the test against my web app on webpagetest.org, and while I see ocsp requests to comodoca.com, this seems to be after the initial page loaded, indicating that this request was made as part of additional CSS/js requests, which go against other web sites.Please provide an app where this clearly reproduces, and we will investigate further. Send email to jennylaw(at)microsoft.com with site name.
Thanks,
Jenny -
Anonymous
commented
Any new status on this? this is taking some time for what IIS has by default when running on prem
-
Anonymous
commented
If its true that this is the delay for the Time To First Byte than I think it's crucial that MS fix OCSP Stapling. My company have been close to migrating away from Azure web apps because of the delay for Time To First Byte.
-
Sana
commented
Hi, Please someone can let us know what's the status, our company would really really really appreciate it.
-
Anonymous
commented
Our site (azure webapp) is down under firefox - no files can be downloaded from azure blob.
Firefox support has identified problem as problem with microsoft.
https://support.mozilla.org/en-US/questions/1161934 -
Bert Sinnema
commented
Since Firefox' new version forces OCSP, not a single file can be downloaded from blob storage. Our service is down for every firefox user. Why are security patches so slow?
-
Thanks for your patience. We still don't have a timeline to share as supporting this is dependent on a few other items we need to complete first. We will update here once there is more information to share.
Thanks,
Oded -
Josiah Bradley
commented
Dear Feedback team, any word on this? OCSP would be nice for our sites even though our provider is lightning fast every byte helps.
-
Anonymous
commented
Please can you provide an update on this? I too am facing this problem and I have had to migrate to an IIS server as this is resulting in a 2.3 second delay to the server response time whic would hit my seo on Google.
Thanks
Chris
-
Anonymous
commented
Any update on this?