angristan
commented
8 years ago Yep that would be a great feature
Open HLFH opened 8 years ago
angristan
commented
8 years ago Yep that would be a great feature
aeris
commented
8 years ago OCSP is not a server-side feature, but a browser (OCSP request) + CA (OCSP URL inside signed certificate) side.
Only OCSP stapling (not OCSP standalone) can be check server side. Possible to implement, waiting for PR ? :D
HLFH
commented
8 years ago @aeris You could tag this issue as backlog and feature request until @Angristan or me will do the PR.
aeris
commented
8 years ago Seems OpenSSL in ruby don’t have code to access OCSP information
HLFH
commented
8 years ago @aeris With execJS + Node.js + OCSP APIs for Node.js, could we do that?
aeris
commented
8 years ago No way I touch Javascript ! And very complicated to include into existing code by the way.
aeris
commented
8 years ago Seems to not really implement OCSP stapling but only request server (CA or content) outside TLS context. More equivalent to OCSP standalone (specific request without real content query) than OCSP stapling (revocation data included during handshake for real content)
For correct scoring, we need to check real browser handshake / request and not specific traffic.
HLFH
commented
8 years ago Some Perl code: https://github.com/h2o/h2o/blob/master/share/h2o/fetch-ocsp-response
Some Python code: https://github.com/tatsuhiro-t/nghttp2/blob/master/script/fetch-ocsp-response
Some other Python code: https://github.com/iSECPartners/sslyze/blob/master/plugins/PluginCertInfo.py
Does that help? Or is that off-topic?
aeris
commented
8 years ago Off-topic, this is standalone OCSP, not stapling. Currently not doable without ruby openssl extension patch, OCSP stapling API not available at this time.
tdelmas
commented
8 years ago What about must-staple?
Hi,
Could you support OCSP?
It would be really cool to know after a TLS scan if OCSP is correctly enabled.
@angristan will be very happy too.
Thanks, HLFH