Nothing that I could find in the documentation says that the OCSP stapling does anything outside of that. The OCSP server will add that status to the handshake / response. I guess is there a way to check that OCSP response status in Apache and manually block this based on it?
—————————————————————————— Quintin Ash | Senior Software Engineer Tenable Network Security 7021 Columbia Gateway Drive, Suite 500 Columbia, MD 21046 q...@tenable.com W: 443-545-2101 ext. 472 tenable.com <http://www.tenable.com/> On Mon, Apr 24, 2023 at 12:41 PM Eric Covener <cove...@gmail.com> wrote: > **** CAUTION: This email was sent from an EXTERNAL source. Think before >> clicking links or opening attachments. **** >> ------------------------------ >> I have added tracing and see that the OCSP is revoked. I guess my >> question is, if the certificate is revoked, should Apache deny access to >> the website? Because it is still allowing access even though the OCSP >> server mentions that it's revoked. >> > > Is there anything in the docs that implies OCSP stapling does anything but > staple the OCSP response so the client can see it? > > Did it get added as an extension in the handshake or not? > >