enable OCSP stapling in HTTP (API) client

[ghost]

would it be possible to enable (=force) OCSP stapling for (.NET?) HTTP client as used by the eduVPN/Let's Connect! apps?

This is important to be able to detect revoked certificates as there currently is no other means to make sure clients do not continue to connect to MITM servers after the TLS key has been stolen from the "real" server and this has been detected.

[rozmansi]

Unfortunately, .NET WebRequest does not support OCSP stapling yet: https://docs.microsoft.com/en-us/answers/questions/186836/does-the-net-httpwebrequest-class-support-ocsp-sta.html

Hopefully, Windows Server 2022 and Windows 11 will have upgraded Schannel with support for this.

There is a sample how to make a OCSP client with Bouncy Castle in .NET. But that would require a complete redesign of web requests and TLS to switch from stock to Bouncy Castle.

Related-to: #158, #159

[rozmansi]

I could enable certificate revocation check. It's disabled by default in .NET.

[ghost]

I could enable certificate revocation check. It's disabled by default in .NET.

How would that work? Checking a CRL? doing OCSP (without stapling?)

[rozmansi]

It downloads and checks CRL. The classic CRL. No OCSP client side IIRC.

[ghost]

So let's close this as it seems like a dead end and by now I think it will be a (very) bad idea to do this, we also found that some servers (re)configured TLS so that OCSP stapling is no longer configured (properly).