Add OCSP stapling support

NLnetLabs / unbound

Unbound is a validating, recursive, and caching DNS resolver.

https://nlnetlabs.nl/unbound

BSD 3-Clause "New" or "Revised" License

3.16k stars 360 forks source link

Add OCSP stapling support #44

Open yegle opened 5 years ago

yegle commented 5 years ago

Can we add OCSP stapling support in the response to avoid a deadlock in running DNS-over-TLS only Unbound server?

It's currently not supported. I see NSD recently got ocsp stapling support so presumably it would be trivial.

OCSP stapling test output:

$ openssl s_client -connect my-dns-server:853 -tls1_3  -tlsextdebug  -status
CONNECTED(00000003)
...
OCSP response: no response sent
...

yegle commented 5 years ago

Note w/o OCSP stapling in the response, it will likely get into a deadlock where the client have to resolve the OCSP server hostname to validate the certificate, but it can't because you have to trust the server to send the DNS query.

This deadlock is mentioned in the DNS-over-HTTPS RFC. Given that, can we prioritize the work here a little bit?

bradleeedmondson commented 3 years ago

Let's Encrypt certificates require OCSP stapling, so this missing feature prevents use of LE certificates (in conforming environments, where the client will correctly honor the cert's OCSP requirement).

EDIT: I was wrong; LE offers OCSP-must-staple on certificates but does not require it. Unbound serves TLS properly with an LE cert that does not have the OCSP-must-staple extension enabled.

olmari commented 2 years ago

On OPNsense context, this would be awesome feature :)