OCSP Plugin Configuration Guide
1. Overview
libocsp is a plug-in that performs OCSP (Online Certificate Status Protocol, Online Certificate Status Protocol) checks. Verify the revocation status of the target certificate and measure the performance indicators of each stage of the Network connection.key=value settings text separated by carriage return and line feed. Key names are not case-sensitive, and behavior comments starting with # or ; are noted.2. Detailed explanation of input parameters
2.1 Core connection parameters
| Parameter name | Type | Required | Default value | Explanation and impact |
|---|---|---|---|---|
url | string | no | — | Target domain name or IP address. OCSP request will be sent to this Host; if it is not set or it is empty, the server address built into cert will be used. If it is a domain name, the plug-in will first perform DNS resolution and the resolution time will be output as an independent indicator. |
issuer | string | yes | — | Issuer Certificate, PEM format. Used to build OCSP request to prove the certificate chain relationship. Since PEM is usually multi-line, multiple lines can be passed in repeatedly in settings (one issuer=... fragment per line), and the plug-in will automatically splice it. If missing, OCSP request cannot be constructed correctly, causing the check to fail. |
cert | string | yes | — | Certificate to be checked, PEM format. That is, the target certificate whose revocation status needs to be verified. Same as issuer, supports multi-line repetition to be passed in to splice the complete PEM. If missing, there is no certificate to check. |
hash | string | no | — | Generate certificate Request hash method. Default sha1. Support sha1, sha256, sha512. |
3. Detailed explanation of output indicators
3.1 Numerical performance indicators
| Stage | Indicator name | Unit | Description |
|---|---|---|---|
0 | total task time | ms | The overall elapsed time from task startup to receipt of the complete OCSP response and completion of processing. |
1 | DNS Lookup Time | ms | The time taken to resolve the host domain name to IP. If using IP direct connection, it is close to 0. |
2 | Connection establishment time | ms | The time when the TCP three-way handshake is completed. Reflects the Network direct connection quality to the OCSP responder. |
3 | SSL Handshake Time | ms | The TLS/SSL encryption handshake takes time. If accessing the OCSP service via HTTPS, this includes the certificate exchange and key negotiation time. |
5 | Send/Request time | ms | The time taken to send OCSP Number of Requests data to the server. |
6 | Time to First Byte (TTFB) | ms | After sending Request, the time when the first response byte is received. Reflects the response speed of the first packet of Request processed by the OCSP responder. |
7 | Time to Last Byte | ms | The time after the first byte to receive the complete response. like |
Note: stages 9~15 are reserved bits for common indicator indexes. They are usually not filled with valid values in pure OCSP certificate checking scenarios, but may be reused in some extended communication modes.
3.2 Error code
| info value | meaning | Trigger condition |
|---|---|---|
699001 | StatusError | OCSP status Error. |
699002 | HTTP Error | HTTP Error. |
699003 | OCSP check Error | Response signature verification failed. |
699004 | OCSP revoked | OCSP revoked. |
612xxx | Other standard errors | Other standard errors |
4. Precautions
1.
issuer and cert are PEM-encoded certificates, which usually contain newlines. In the key=value settings format, each line needs to be passed in as an independent issuer=... or cert=... line, and the plug-in will automatically splice it internally. Make sure the certificate content contains the complete BEGIN CERTIFICATE and END CERTIFICATE markings.