OCSP stapling was defined in 2006 and allows a web server to retrieve a signed time-stamped message containing the status of its own certificate that is passed to its client. This saves the client the need to make a connection back to the issuing CA to check the status of the certificate. This has both performance and privacy benefits for the client.
This is supported by the following web-servers:
- Apache 2.3 and later
- NginX 1.3.7 and later
- IIS 7.0 and later
Nothing in my favorite Lighttpd yet? :(
#1 Updated by stbuehler about 4 years ago
- Target version set to 1.4.x
- No API documentation found:
- afaics this has to be set in a blocking callback, cache response
- for files: refresh if needed and file got changed
- probably won't support retrieving ocsp response over network
The Chromium team are pushing Certificate Transparency (CT) hard and have announced that CT will be required from Sep 2017.
OCSP stapling is one of easiest way to implement Signed Certificate Timestamp which is required in CT from the CA to the site operator.
I think now is the best time for the appearance OCSP stapling in Lighty after many years of waitng.
Also available in: Atom