Open in app

Sign in

Write

Sign in

Bhashinee Nirmali
2 min readAug 13, 2018

[Ballerina] Enable OCSP stapling in Ballerina

Once a certificate is issued by a certificate authority(CA), CA gives a validity period for the certificate and the certificate is expected to be valid for that entire validity period. After issuing a certificate, CA does not have any capability to take it back. So in order to revoke/cancel a certificate, CA publishes the certificate’s status as Revoked. Once the certificate is revoked, that should no longer be trusted.

Ballerina has a client endpoint to do outbound calls. If you are not familiar with Ballerina, see [helloWorld client].

When connecting to an https endpoint we need to specify a trust store containing the certificates we trust. See [Basic https client and a listener] example.

In http:Client, apart from the normal HTTPS configurations (See ‘Basic HTTPS Listener Client’ ballerina by example), we need to add another field inside secureSocket record type to enable/disable ocspStapling in client side.

ocspStapling — True/false to enable/disable ocspStapling.

After enabling ocspStapling in client side, the client will request the OCSP staple from the server during the SSL handshake. Depending on the OCSP staple which client receives, it will do the validations accordingly and establish the connection. If the validation fails with the server sent OCSP staple, or if the server didn’t send the staple, validation will be followed up by OCSP and CRL.

Following is the example configuration for enabling OCSP stapling in Ballerina.

import ballerina/http;
import ballerina/io;

endpoint http:Client clientEP {
    url:"https://localhost:9095",
    secureSocket:{
        trustStore:{            path:"${ballerina.home}/bre/security/ballerinaTruststore.p12",
            password:"ballerina"
        },
        ocspStapling: true
    }
};

function main (string... args) {
    http:Request req = new;
    var resp = clientEP -> get("/echo/");
    match resp {
        error err => io:println(err.message);
        http:Response response => {
            match (response.getTextPayload()) {
                error payloadError => io:println(payloadError.message);
                string res => io:println(res);
            }
        }
    }
}

Happy coding with Ballerina!

Ballerinalang
Oscp
Bhashinee Nirmali

Written by Bhashinee Nirmali

47 Followers

Associate Technical Lead @ WSO2

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams