OCSP is obviously enabled, but not ocsp stapling. On 11/07/2012 05:18 PM, joris dedieu wrote: > 2012/11/7 Hervé COMMOWICK <[email protected]>: >> As of now, on client side, it is only working on IE9 (not before not >> after) and Opera, not so common... > > It's enable in Firefox for a long time (Edit / Preference / Advanced / > Encryption / Validation or search ocsp in about:config). > See : https://bugzilla.mozilla.org/show_bug.cgi?id=110161 > > > >> >> Look this : http://www.imperialviolet.org/2012/02/05/crlsets.html for >> Google's thoughts >> Short : "On this basis, we're currently planning on disabling online >> revocation checks in a future version of Chrome. (There is a class of >> higher-security certificate, called an EV certificate, where we haven't >> made a decision about what to do yet.)" >> >> And this : https://bugzilla.mozilla.org/show_bug.cgi?id=360420#c10 for >> Mozilla's thoughts. >> Short : "it's busted by design. It can only carry a single response and >> hardly any sites have only one OCSP certificate in their chain these >> days. So it doesn't eliminate the OCSP lookup delay, which it's primary >> attraction. >> >> Hervé C. >> >> >> On 11/06/2012 11:02 PM, Willy Tarreau wrote: >>> Hi Lukas, >>> >>> On Tue, Nov 06, 2012 at 04:57:59PM +0100, Lukas Tribus wrote: >>>> >>>> Don't know if it helps without some knowledge of the nginx source code, but >>>> here [1] you can find the patches applied to nginx to introduce ocsp >>>> support. >>> >>> Thanks for the pointer. Anyway as you suspect, source code alone doesn't >>> tell much about the real benefits to expect from this feature, nor how >>> it's supposed to be used (especially by clients). >>> >>>> Its doesn't seem to be trivial to implement though, because you also need >>>> to >>>> run (at regular intervals) an OCSP query towards the CA's OCSP server... >>> >>> Amusingly, running a task at regular intervals is the easiest part to do, >>> it's just like health checks. We could decide to dedicate such a task per >>> stapling-enabled bind line and it would not be much of an issue. The >>> overhead >>> would not even be measurable if we were working at insane refresh rates. >>> >>> What's unclear to me is how many clients do support this nowadays, how many >>> servers do, whether or not users are willing to allow outgoing connections >>> to fetch such cert statuses, whether or not non-stapling aware clients would >>> be impacted by the feature (eg: increased handshake size due to advertised >>> extension and data to everyone) etc... >>> >>> I think we need to take more time to study this in details, but until >>> someone comes with a detailed description of what this will bring to >>> his site, I'm not sure anyone will spend more time on this :-/ >>> >>> Regards, >>> Willy >>> >>> >> >> -- >> Hervé COMMOWICK >> Ingénieur systèmes et réseaux. >> >> http://www.rezulteo.com >> by Lizeo Online Media Group <http://www.lizeo-online-media-group.com/> >> 42 quai Rambaud - 69002 Lyon (France) ⎮ ☎ +33 (0)4 63 05 95 30 >>
-- Hervé COMMOWICK Ingénieur systèmes et réseaux. http://www.rezulteo.com by Lizeo Online Media Group <http://www.lizeo-online-media-group.com/> 42 quai Rambaud - 69002 Lyon (France) ⎮ ☎ +33 (0)4 63 05 95 30
