ср, 24 июл. 2024 г. в 23:22, William Lallemand <wlallem...@irq6.net>: > > On Wed, Jul 24, 2024 at 10:32:16PM +0200, Aleksandar Lazic wrote: > > Does this announcement have any impact to HAProxy? > > > > "Intent to End OCSP Service" > > https://letsencrypt.org/2024/07/23/replacing-ocsp-with-crls.html > > https://news.ycombinator.com/item?id=41046956 > > >
interesting part is that Chrome (which is a dominant browser) is using its own CRLSets machinery CRLSets (chromium.org) <https://www.chromium.org/Home/chromium-security/crlsets/> so, chrome will simply do not emit neither CRL, nor OCSP request (but it honors stapling) we've discovered that accidentally trying to "revoke" some of our certs and wondering why it didn't work for chrome > I read about this yesterday and my impression is that they are trying to use the excuse of the privacy problems to end a > service that they have difficulties to scale. > > However this does not make much sense to me because they don't talk about OCSP stapling in this article which does not > have these privacy problems since it is done by the web server, and it honestly seems to be intentional... > > What it means for HAProxy deployments is that you just need to disable OCSP stapling once it's not available anymore. > When OCSP stapling is not enabled, the browser requests an OCSP response on the OCSP responder. They are able to do the > same with CRL. > > Honestly I don't get where this is a better approach with how CRL are working in browsers currently, but things are > probably going to evolve on the browsers side, and the HN discussion seems to confirm that. > > > I know there is https://docs.haproxy.org/3.0/configuration.html#5.1-crl-file > > but maybe it's worth to add a blog post about that topic and what impact > > this change have to HAProxy. > > The "crl-file" keyword on the bind line does not have anything to do with this, it is only useful when you want to > revoke client certificates when doing mTLS. The problem is only on the browser side in fact. > > -- > William Lallemand > >
