On Tuesday, 6 September 2016 08:31:33 UTC+1, Kurt Roeckx wrote: > I would really like to see OCSP stapling as mandatory. There currently > only seem to be around 25% of the servers that do it, and the progress > seem to be very slow. I'm wondering if there is something we can do so > that it's used more.
We see a small but significant fraction of servers where if they enable OCSP stapling everything breaks because their server isn't permitted to access the OCSP server (usually a well-intentioned firewall rule forbidding outbound TCP connections to the Internet from the web server) and it staples the resulting error to the certificate, then browsers reject the resulting unverified certificate. Quality of implementation for OCSP stapling seems to remain poor in at least apache and nginx, two of the most popular servers. Apache's in particular gives me that OpenSSL "We read this standards document and implemented everything in it as a series of config options without any understanding" feeling, rather than Apache's maintainers taking it upon themselves to figure out what will actually work best for most servers and implementing that. I would also be more enthusiastic about multi-stapling than the original stapling, since I get the impression that all too often any problems aren't with the leaf certificate's OCSP response but with an intermediate, and so stapling only the response for the leaf won't help there. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy