Open HLFH opened 8 years ago
Yep that would be a great feature
OCSP is not a server-side feature, but a browser (OCSP request) + CA (OCSP URL inside signed certificate) side.
Only OCSP stapling (not OCSP standalone) can be check server side. Possible to implement, waiting for PR ? :D
@aeris You could tag this issue as backlog and feature request until @Angristan or me will do the PR.
Seems OpenSSL in ruby don’t have code to access OCSP information
@aeris With execJS + Node.js + OCSP APIs for Node.js, could we do that?
No way I touch Javascript ! And very complicated to include into existing code by the way.
Seems to not really implement OCSP stapling but only request server (CA or content) outside TLS context. More equivalent to OCSP standalone (specific request without real content query) than OCSP stapling (revocation data included during handshake for real content)
For correct scoring, we need to check real browser handshake / request and not specific traffic.
Some Perl code: https://github.com/h2o/h2o/blob/master/share/h2o/fetch-ocsp-response
Some Python code: https://github.com/tatsuhiro-t/nghttp2/blob/master/script/fetch-ocsp-response
Some other Python code: https://github.com/iSECPartners/sslyze/blob/master/plugins/PluginCertInfo.py
Does that help? Or is that off-topic?
Off-topic, this is standalone OCSP, not stapling. Currently not doable without ruby openssl extension patch, OCSP stapling API not available at this time.
What about must-staple?
Hi,
Could you support OCSP?
It would be really cool to know after a TLS scan if OCSP is correctly enabled.
@angristan will be very happy too.
Thanks, HLFH