Project

General

Profile

Feature #2469

OCSP Stapling

Added by holler over 3 years ago. Updated 3 months ago.

Status:
New
Priority:
Low
Assignee:
-
Category:
TLS
Target version:
1.4.x
Start date:
2013-02-04
Due date:
% Done:

0%

Missing in 1.5.x:
No

Description

OCSP stapling was defined in 2006 and allows a web server to retrieve a signed time-stamped message containing the status of its own certificate that is passed to its client. This saves the client the need to make a connection back to the issuing CA to check the status of the certificate. This has both performance and privacy benefits for the client.

This is supported by the following web-servers:

- Apache 2.3 and later
- NginX 1.3.7 and later
- IIS 7.0 and later

Nothing in my favorite Lighttpd yet? :(

History

#1 Updated by stbuehler about 3 years ago

  • Target version set to 1.4.x

Notes:

  • No API documentation found: SSL_set_tlsext_status_ocsp_resp == SSL_ctrl(SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP) ?
  • afaics this has to be set in a blocking callback, cache response
    • for files: refresh if needed and file got changed
    • probably won't support retrieving ocsp response over network

#2 Updated by gstrauss 3 months ago

  • Category set to TLS

Also available in: Atom