OCSP Stapling与证书撤销校验（OCSP/CRL）最佳实践

背景与价值撤销检查可防止使用失效证书。OCSP Stapling在握手时提供状态，结合服务端CRL/OCSP校验可提升稳定性与安全性。统一规范优先Stapling：启用OCSP Stapling并验证状态签名与有效期。时间窗口：检查 `thisUpdate/nextUpdate` 在有效窗口内。回退策略：Stapling缺失或无效时执行服务端OCSP/CRL校验，失败阻断。核心实现OCSP响应结构与校验占位type Ocsp = { status: 'good' | 'revoked' | 'unknown'; thisUpdate: number; nextUpdate: number; issuer: string; signatureB64: string } function within(now: number, from: number, to: number): boolean { return now >= from && now <= to } function validSig(b64: string): boolean { return /^[A-Za-z0-9+/=]+$/.test(b64) } function ocspOk(r: Ocsp, now = Date.now()): boolean { if (r.status !== 'good') return false if (!within(now, r.thisUpdate, r.nextUpdate)) return false return validSig(r.signatureB64) } CRL条目检查占位type CrlEntry = { serial: string; revokedAt: number } type Crl = { issuer: string; entries: CrlEntry[] } function isRevoked(crl: Crl, serial: string): boolean { return crl.entries.some(e => e.serial === serial) } 落地建议在TLS终端启用OCSP Stapling并验证响应状态、签名与有效期窗口。Stapling缺失或无效时执行服务端OCSP/CRL校验；撤销或校验失败时拒绝连接并审计。验证清单是否验证 `thisUpdate/nextUpdate` 与签名；撤销列表是否检查序列号；失败路径是否阻断。