Today I was fiddling around with nginx and ssl options and wanted to verify that my server is actually serving OCSP data in its responses.
Here is a simple bash one-liner, that does exactly that:
openssl s_client -connect blog.foxxx0.de:443 -tls1 -tlsextdebug -status <<<$(echo -en 'Host: blog.foxxx0.de\nGET /\n') |& grep -A16 '^OCSP response: $'
You might need to run this 2 or 3 times until it gives a response in case the server has no cached OCSP data available yet.
A sample response might look like:
OCSP response: ====================================== OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = IL, O = StartCom Ltd. (Start Commercial Limited), CN = StartCom Class 2 Server OCSP Signer Produced At: Jul 13 11:25:27 2015 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: B9B2D56DB021B36E42F627245806C4A9A6979AEB Issuer Key Hash: 11DB2345FD54CC6A716F848A03D7BEF7012F2686 Serial Number: 02998C Cert Status: good This Update: Jul 13 11:25:27 2015 GMT Next Update: Jul 15 11:25:27 2015 GMT