On Tuesday, September 6, 2016 at 7:54:14 AM UTC-7, Jakob Bohm wrote: > On 06/09/2016 16:43, Martin Rublik wrote: > > On Tue, Sep 6, 2016 at 2:16 PM, Jakob Bohm <[email protected]> wrote: > > > >> Here are a list of software where I have personally observed bad OCSP > >> stapling support: > >> > >> IIS for Windows Server 2008 (latest IIS supporting pure 32 bit > >> configurations): No obvious (if any) OCSP stapling support. > > > > > > AFAIK IIS 7.0 supports OCSP stapling and it is enabled by default, for more > > information see https://unmitigatedrisk.com/?p=95 or > > https://www.digicert.com/ssl-support/windows-enable-ocsp-stapling-on-server.htm > > > > > Nice surprise (if true), this was unreasonably well hidden, for example > there is no indication of this in any relevant parts of the > administration user interface. I'll have to device a test to check if > it actually does staple OCSP on our servers. > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded
It is true. Windows (and IIS as a result) was the first to support OCSP stapling and has the most robust support for it. Sleevi has a nice summary OCSP stapling issues here - https://gist.github.com/sleevi/5efe9ef98961ecfb4da8 Lets start a new thread to discuss OCSP stapling vs re-using this one. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
