Project

General

Profile

Feature #2469

OCSP Stapling

Added by holler over 7 years ago. Updated 3 days ago.

Status:
Fixed
Priority:
Normal
Category:
TLS
Target version:
ASK QUESTIONS IN Forums:
No

Description

OCSP stapling was defined in 2006 and allows a web server to retrieve a signed time-stamped message containing the status of its own certificate that is passed to its client. This saves the client the need to make a connection back to the issuing CA to check the status of the certificate. This has both performance and privacy benefits for the client.

This is supported by the following web-servers:

- Apache 2.3 and later
- NginX 1.3.7 and later
- IIS 7.0 and later

Nothing in my favorite Lighttpd yet? :(


Related issues

Related to Feature #2278: client cert verification via OCSPWontfixActions
#1

Updated by stbuehler about 7 years ago

  • Target version set to 1.4.x

Notes:

  • No API documentation found: SSL_set_tlsext_status_ocsp_resp == SSL_ctrl(SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP) ?
  • afaics this has to be set in a blocking callback, cache response
    • for files: refresh if needed and file got changed
    • probably won't support retrieving ocsp response over network
#2

Updated by gstrauss about 4 years ago

  • Category set to TLS
#3

Updated by carpii almost 4 years ago

Just adding that I would love to see this in lighty 1.4.x also

[Edit, although 1.4 sounds unlikely. This ticket is a dupe of #2278 ]

#4

Updated by gstrauss almost 4 years ago

  • Is duplicate of Feature #2278: client cert verification via OCSP added
#5

Updated by gstrauss almost 4 years ago

  • Status changed from New to Duplicate

Never say never. :) Adding this to lighttpd 1.4.x is on the table, but not being worked on at the moment.

#6

Updated by gstrauss over 3 years ago

  • Is duplicate of deleted (Feature #2278: client cert verification via OCSP)
#7

Updated by gstrauss over 3 years ago

  • Related to Feature #2278: client cert verification via OCSP added
#8

Updated by gstrauss over 3 years ago

  • Status changed from Duplicate to Reopened

#2278 requests support for checking CRL/OCSP on certificates received from client.

This ticket requests that lighttpd send OCSP stapling info.

#9

Updated by mxm about 3 years ago

The Chromium team are pushing Certificate Transparency (CT) hard and have announced that CT will be required from Sep 2017.
OCSP stapling is one of easiest way to implement Signed Certificate Timestamp which is required in CT from the CA to the site operator.
I think now is the best time for the appearance OCSP stapling in Lighty after many years of waitng.

#10

Updated by gstrauss about 2 years ago

  • Priority changed from Low to Normal
#11

Updated by gstrauss 5 months ago

  • Status changed from Reopened to New
#12

Updated by gstrauss about 1 month ago

  • Status changed from New to Patch Pending
  • Target version changed from 1.4.x to 1.4.56
  • ASK QUESTIONS IN Forums set to No

Implemented in my dev branch. Would anyone like to help kick the tires?

#13

Updated by gstrauss 3 days ago

  • Status changed from Patch Pending to Fixed

Also available in: Atom