OCSP stapling is supported on - Apache HTTP Server (>=2.3.3) - Nginx (>=1.3.7)
The symbols means greater then equal to 2.3.3 To be honest I never of OSCP stapling so I googled. How to and concepts can be found https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx On Thu, 16 Feb 2023, 13:01 Akshath Hegde, <arhsa...@gmail.com> wrote: > Hi, > I had some questions about using OCSP for revocation. > I have a client that connects to apache http server 2.4.37 (RHEL). I have > enabled SSL and OCSP stapling on the server with this configuration -> > Root > -> Intermediate > -> Server Certificate > -> OCSP signer certificate > Both the intermediate and Server certificate contain the OCSP responder > URL in AIA extension. And there is a OCSP responder running on the same. > The client will send the "status_request" extension during handshake. I > see the server is querying the responder for the revocation status of the > end entity certificate and returning that back to client. But the > revocation status for intermediate cert doesn't seem to be queried or put > back in response. > Note: The version negotiated is TLS 1.3 > From the documentation about OCSP stapling it seemed RFC 6961 is not > implemented(relevant for TLS 1.2). Please let me know if this understanding > is correct. But in case of TLS 1.3, the response can be added as a > certificate specific extension of TLS Certificate message. It wasn't clear > if I should be expecting the OCSP response even for the intermediate cert > in this situation. > > To summarize > Is OCSP multi stapling supported by apache 2.4.37 ? > > Any pointers would be helpful. Thanks in advance > > Regards > Akshath > >
