ebekker
commented
7 years ago Sounds like a great addition, if anyone has any interest in contributing the necessary changes needed to implement this with BouncyCastle -- please do!
Open rhymeswithmogul opened 7 years ago
ebekker
commented
7 years ago Sounds like a great addition, if anyone has any interest in contributing the necessary changes needed to implement this with BouncyCastle -- please do!
WouterTinus
commented
6 years ago Nice resource about this: https://scotthelme.co.uk/ocsp-must-staple/
The code in BouncyCastleProvider.cs should look something like this I suppose:
if (OCSPMustStaple) { attrs.Add(new DerObjectIdentifier("1.3.6.1.5.5.7.1.24"), new DerOctetString(new byte[] { 0x30, 0x03, 0x02, 0x01, 0x05 })); ); }
Are there any plans to add support for RFC 7633 (the OCSP Must-Staple extension) to ACMESharp in a future release? Let's Encrypt now supports CSR's with that flag set.
OCSP stapling allows supporting Web servers to automatically fetch OCSP responses, and include them with the TLS handshake to improve the revocation process. IIS 7.0 and higher have this feature enabled by default. The Must-Staple extension goes further, and fails any connection that does not include a valid response.