On Wed, Sep 03, 2025 at 08:55:54PM +0200, Ruediger Pluem wrote: > > > On 9/3/25 5:49 PM, Stefan Eissing via dev wrote: > > https://docs.digicert.com/en/whats-new/change-log/certcentral-change-log.html#digicert-ending-support-for-http-1-0-connections-for-ocsp-and-crl-certificate-status-verification-checks-619426 > > Thanks for the heads up. > > > > > On rather short notice, they switch off HTTP/1.0 in their OCSP responder. > > That means our implementation of stapling in mod_ssl will no longer work, I > > assume. > > Agreed. But as HTTP/1.1 is still accepted and we already set a host > and connection header it should be easy to fix:
That HTTP client doesn't support chunked transfer-coding, so it cannot declare HTTP/1.1 conformance like this. Some irony in their statement as well, since most of the desync attacks are against HTTP/1.1 features rather than 1.0 features? Regards, Joe
