Today I was fiddling around with nginx and ssl options and wanted to verify that my server is actually serving OCSP data in its responses.
Here is a simple bash one-liner, that does exactly that:
openssl s_client -connect blog.foxxx0.de:443 -tls1 -tlsextdebug -status <<<$(echo -en 'Host: blog.foxxx0.de\nGET /\n') |& grep -A16 '^OCSP response: $'
You might need to run this 2 or 3 times until it gives a response in case the server has no cached OCSP data available yet.
A sample response might look like:
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = IL, O = StartCom Ltd. (Start Commercial Limited), CN = StartCom Class 2 Server OCSP Signer
Produced At: Jul 13 11:25:27 2015 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: B9B2D56DB021B36E42F627245806C4A9A6979AEB
Issuer Key Hash: 11DB2345FD54CC6A716F848A03D7BEF7012F2686
Serial Number: 02998C
Cert Status: good
This Update: Jul 13 11:25:27 2015 GMT
Next Update: Jul 15 11:25:27 2015 GMT