mdecimus
commented
6 months ago This will have to wait until rustls adds support for OCSP stapling .
Open Avamander opened 9 months ago
mdecimus
commented
6 months ago This will have to wait until rustls adds support for OCSP stapling .
Avamander
commented
6 months ago @mdecimus
From the linked thread I understand that it could be done, albeit in a limited way.
On the server side in the simplest form you could use with_single_cert_with_ocsp on your ServerConfig builder to provide the DER encoded OCSP response to staple in the handshake. You're responsible for sourcing and verifying the OCSP response you staple, rustls has no helpers for this.
This would suffice as a workaround for using certificates with the must-staple flag. I have done the same for Nginx with BoringSSL.
Avamander
commented
5 days ago There's a comment under the linked issue that mentions a crate for stapling with rusttls: https://docs.rs/ocsp-stapler/latest/ocsp_stapler/
Which feature or improvement would you like to request?
I'd really like to see OCSP stapling support for IMAP and SMTP endpoints. It should primarily speed things up for clients that use OCSP to validate server certificates, and also reduces the privacy impact of using OCSP.
Is your feature request related to a problem?
If a certificate contains the must-staple flag, then clients such as Thunderbird refuse to connect. So in those cases stapling is a must-have.
Code of Conduct