I can't spell. It's OCSP:
https://en.wikipedia.org/wiki/Online...tatus_Protocol.
OpenBSD's built-in web server httpd(8) supports OCSP stapling. Here's an example httpd.conf(5) fragment from one of my servers:
Code:
server "<redacted>" {
alias "<www.redacted>"
listen on * tls port https
hsts
tls certificate "/etc/ssl/acme/fullchain.pem"
tls key "/etc/ssl/acme/private/privkey.pem"
tls ocsp "/etc/ssl/acme/cert.der"
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
This server runs OpenBSD's ocspcheck(8) utility daily for certificate validation against the certificate authority's responder.
OSCP stapling is time-dependent and (nearly) correct time is required, which is why incorrect clocks cause failures.
https://en.wikipedia.org/wiki/OCSP_stapling