On 05.09.2015 13:06, Tim Bannister wrote: > It's not just conventional browsers. I think automated / embedded > HTTP clients will also benefit from stapling, either because > networking filters would block a conversation between the client and > the CA's OCSP responder, or the extra latency from using conventional > OCSP is a problem.
That hope is mostly futile: OpenSSL e.g., presumably quite popular for implementing such clients, does not include any readily available support for enabling OCSP checking in client mode. And even if a library has some sort of knob for turning it on (Sun^WOracle's CertPath provider e.g.), you'll mostly find that they don't handle stapled responses. Consider yourself happy if a client at least does some sort of hostname verification (see https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf for further background, the situation didn't change fundamentally since then). > For another example of a non-interactive application implementing > OCSP, look at the Exim mail transfer agent (which can be both client > and server). SMTP with STARTTLS isn't a useful example, sorry... it's opportunistic encryption only in the best case, and for MTA communications, DANE-EE (https://datatracker.ietf.org/doc/draft-ietf-dane-smtp-with-dane/) looks like a more promising approach. Kaspar
