Crie um valor de reg DWORD EnableOcspStaplingForSni em HKLM\System\CurrentControlSet\Control\SecurityProviders\Schannel\ e defina-o como um valor diferente de zero.
Se a opção Exigir indicação do nome do servidor estiver marcada na ligação de um site do IIS, o grampeamento do OCSP estará desabilitado para o site.
Isso é facilmente confirmado ao habilitar o SNI para um site que atualmente não o exige, e verificar usando o link ou o openssl :
openssl s_client -connect foobar.com:443 -servername foobar.com -tls1 -tlsextdebug -status
Alguém tem uma solução alternativa para isso, para que os clientes de sites habilitados para SNI possam aproveitar os benefícios do grampeamento OCSP?
Segundo a Microsoft, este comportamento está desabilitado por padrão, devido a possíveis problemas de desempenho.
To enable OCSP stapling for SNI and CCS bindings, locate the following registry subkey:
"EnableOcspStaplingForSni"=dword:00000001under Registry path:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
Snippet do Powershell:
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\" -Name "EnableOcspStaplingForSni" -PropertyType DWord -Value 1
Artigo de referência da Microsoft , o artigo refere-se ao servidor do Windows 2012 , eu testei isso, e ainda é relevante para 2016.
OCSP stapling
Online Certificate Status Protocol (OCSP) stapling enables a web server, such as Internet Information Services (IIS), to provide the current revocation status of a server certificate when it sends the server certificate to a client during the TLS handshake. This feature reduces the load on OCSP servers because the web server can cache the current OCSP status of the server certificate and send it to multiple web clients. Without this feature, each web client would try to retrieve the current OCSP status of the server certificate from the OCSP server. This would generate a high load on that OCSP server.
By default, OCSP support is enabled for IIS websites that have a simple secure (SSL/TLS) binding. However, this support is not enabled by default if the IIS website is using either or both of the following types of secure (SSL/TLS) bindings:
Require Server Name Indication
Use Centralized Certificate Store
In this case, the server hello response during the TLS handshake won't include an OCSP stapled status by default. This behavior improves performance: The Windows OCSP stapling implementation scales to hundreds of server certificates. Because SNI and CCS enable IIS to scale to thousands of websites that potentially have thousands of server certificates, setting this behavior to be enabled by default may cause performance issues.
Note Enabling this registry key has a potential performance impact.