Am 19.12.18 um 14:20 schrieb Rob Stradling:
> On 19/12/2018 13:13, Salz, Rich wrote:
>>> OpenSSL already has some support for Must-Staple:
>>> https://github.com/openssl/openssl/pull/495
>>
>> Oops, yeah, you're aright. But it's not really documented and not hooked up
>> to any popular server, is it? OpenSSL can parse it, but that's about it.
>
> I suspect that's true.
>
> What would hooking it up to a webserver look like, I wonder? Would the
> webserver automatically enable OCSP stapling if the server cert
> indicates Must Staple? Or would the webserver throw an error and refuse
> to start until the administrator has manually enabled OCSP stapling?
>
Let me answer also some previously questions:
The problem exists on an exim server.
Exim is compiled with openssl 1.1.1a
Their is an 384bit-Ecdsa Certtificate from letsencrypt with Must-Staple
enabled in place.
The config adds a staple file with the status_response from
letsencrypt-OCSP server.
This part works very well without any issues.
To check the functionality, their was openssl commandline,
https://hardenize.com & Thunderbird as mailclient.
Thunderbird (recent version) refuses to establish a TLS connection, when
the stapling file is not added as an extension to the certificate.
OCSP-Must-Staple certificates work also very well on apache & nginx.
Nginx starts without any issue when stapling is not enabled, but Firefox
& Chrome will fail to connect with TLS errors.
Other browsers may behave similar.
Shall I open a ticket for openssl?
GnuTLS seems also not be able to staple the status_response when in
client mode.
Have I missed to clarify something?
Torsten
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
