TLS 1.2 OCSP Stapling?

[knightcode]

I get my certificates from letsencrypt.org. They have an option called --must-staple that configures the certificate so as to require a browser to ensure my webserver responds to an OCSP query (I think that's what it does anyway). They also have a --staple-ocsp option that I use as well. But it doesn't seem to affect the issue I'm having, which is that Firefox shows an error page for my certificate with must-staple set. Other browsers seem to be fine, and reconfiguring the cert without --must-staple also lets Firefox load my site.

When I run this command:

 openssl s_client -connect myserver.com:443 -status

The second line of output is:

OCSP response: no response sent

So that it seems like this is something the webserver needs to handle, and I'm unable to find any documentation for how to set this up. pyOpenSSL discusses it here. I don't know enough about the protocol to know with whom the responsibility lay.

[ploxiln]

OCSP-stapling requires the https server to periodically (perhaps every few hours) make a request to the certificate-authority's OCSP server to get a signed response indicating that the certificate is not revoked, and include it along with the certificate in the TLS handshake with the client, so the client does not have to make a request to the OCSP server itself. See, if the client has to make the request itself, it probably has to ignore a failure to get a response, because OCSP was not required to be 100% reliable from the beginning, so it's often not very reliable, and no one wants websites to sometimes not work because the CA's OCSP servers are flaky.

Since a few years ago, Chrome does not do OCSP because they think it's a bad idea, and I suppose also does not check for OCSP-stapling. Instead it uses CRLs (certificate revocation lists) included with the browser. https://scotthelme.co.uk/certificate-revocation-google-chrome/

Nginx and Apache can do OCSP stapling (but I hear they could do a better job about intelligently continuing to use previous OCSP responses when they can't get an updated OCSP response because the CA's servers are flaky). I don't think there's a straightforward way to get python's SSLContext to do it, probably because it's not a popular technology/protocol.

[bdarnell]

Since a few years ago, Chrome does not do OCSP because they think it's a bad idea, and I suppose also does not check for OCSP-stapling.

FWIW, dropping support for regular OCSP doesn't imply that they won't check for stapled OCSP. Chrome is being slower to adopt must-staple than Firefox was, but I think it's still coming.

I'm also not sure how all the pieces fit together here. If the stapled OCSP response is contained within the certificate file itself, then I think you'd just need to call SSLContext.load_cert_chain when it is updated (just like a renewal). If it's separate or requires some extra negotiation, this would probably require changes in the python standard library.

For now, I'd recommend not using --must-stable unless you're interested in blazing a trail and figuring out how to make all of this work.