OCSP stapling support

[strarsis]

Let's Encrypt for example also provides a lightweight chain file for OCSP stapling (nginx e.g. supports this with option stapling_verify).

So the user should be able to provide a chain file (like nginx ssl_trusted_certificate option) for traefik.

[1n5aN1aC]

I'm assuming there is still no OCSP stapling support in traefik?

This would be a nice performance enhancement for clients that properly support OCSP.

[Nirkus]

I am a bit confused about the ticket description since I expected generic OCSP stapling support given the ticket title ("OCSP stapling support"). What is the relationship of OCSP stapling with ACME?

Is there any OCSP stapling support in traefik already? I was not able to find anything in the docuentation about it.

[icedream]

As far as I understand there is indeed no OCSP stapling support in Traefik yet. I also tried to verify that on my own Traefik setup and as far as Qualy's SSL Labs test is concerned, it does report missing OCSP stapling support.

[alemairebe]

current status from code : https://github.com/containous/traefik/blob/3b3ca894834912a24b08ba85775a2b3197003055/acme/acme.go#L34-L35 it is implemented but not activated with a reference to an issue on lego. That issue is closed, so I guess it could be enabled.

[icedream]

@alemairebe if I understand the code correctly though that is just for the integrated ACME client. What about certificates that are loaded into the configuration externally, like from file providers? (My understanding of this issue is that it is for all of TLS configuration, not just ACME.)

[alemairebe]

@icedream yes indeed , sorry , my comment was for requesting certificates with OCSP extension enabled. implementation of OCSP by Traefik is missing.

[ghost]

OCSP stapling support was added in the recently released version 1.11 of Go. It would be awesome if you could start implementing this feature in Traefik now.

[vsund]

Would be also cool to have a slightly cleverer implementation than Apache/nginx. They're both lazily requesting these OCSP stapling requests (and also throwing them away too quickly), which results in OCSP errors where there wouldn't be necessary :)

This post explains the issue around this very well (and there are also some helpful links for further information/implementation in it).

[J0WI]

nginx supports a cache file and you can use your own preferred method and time interval to update OCSP responses.

[polarathene]

Hello, what is the status regarding this support right now? Even with the LetsEncrypt support, there is no documentation about it. The code snippet from v1.7 mentioned earlier has moved to a new location on v2/master, but is still set to false:

https://github.com/containous/traefik/blob/master/pkg/provider/acme/provider.go#L30-L33

The referenced lego repo seems to describe it as a CLI flag, I'm not a Go dev, so not sure what is involved to support it, does it just need that bool set to true? Can we get that enabled now, or make it a configurable? The lego repo resolved the issue with this commit from 2016.

[alesnav]

Hello,

This issue is related to two different things:

1. Support for making SSL certificates using mustStaple property. This can be done in an very easy way since ACME client already supports it. As said by @polarathene , it is only needed to use the right parameter.

2. Support for OCSP stapling inside Traefik. This is the difficult one. Apache, nginx and haproxy support this, but I think that Traefik does not have any mechanism to publish the OCSP stapling part.

[icedream]

@polarathene See an earlier comment of mine to the effect of this particular setting. This only covers the first point of @alesnav's response, but not the second part.

[polarathene]

@icedream ACME(and thus the common LetsEncrypt) stapling support is still better than none at all. That boolean should be configurable or enabled now. Getting support beyond providers that support ACME certs would still be nice, but shouldn't need to be a blocker for ACME to use stapling?

EDIT: Ah, I've misunderstood. There is no point enabling mustStaple if OCSP stapling support lacks?, so it'd make no sense unless Traefik is also handling that. For now stapling requires TLS to be handled by Nginx/Apache/CloudFlare/etc?

To support OCSP Must-Staple correctly, web server software such as Apache and Nginx must fully and correctly support OCSP Stapling, properly fetching and caching OCSP responses as well as handling errors when communicating with OCSP responders.

Go's TLS support does seem to cover OCSP Stapling though?

I'm not a Go dev, so this is about as much as I can "help". The following afaik support OCSP Stapling, so digging into their code for implementation should reveal what needs to be done to contribute a PR to Traefik to provide the same functionality?(These are all Go projects, although Caddy I think kind of competes with Traefik/Nginx functionality)

• CFSSL: Cloudflare's PKI and TLS toolkit
• CertMagic(claims that Caddy uses this for TLS, and thus OCSP I guess)
• Caddy

So for anyone who's experienced with Go, perhaps CertMagic is the way to go, referencing how Caddy uses it? Since Traefik already handles TLS, I guess that'd be too invasive of a change, you might just need to reference the OCSP Stapling logic?

[icedream]

@polarathene I didn't exactly think about it but if mustStaple is enabled and the OCSP stapling is lacking, this will very likely (definitely?) break connectivity; I think you are right.

As you can see the TLS support only goes as far as to provide a placeholder byte slice to be filled with the respective OCSP response. The logic still needs to be implemented by Traefik itself as far as I know about Golang.

[Keridos]

This is apparently a blocker for being able to fully meet the HIPAA or NIST Guidelines for TLS, too. Both of them require OCSP Stapling support.

[smares]

I would also like to see OCSP stapling support in Traefik.

[droplet-js]

any news update?

[songrijie]

We do need this enhancement since there is ongoing connectivity issue in LE. No progress was made in months.

[polarathene]

@songrijie an alternative for now would be to have nginx or similar handle HTTPS and then handover to Traefik. That way you could handle OCSP stapling I think and still use Traefik for routing.

Alternatively there is Caddy which released v2 recently. It's received a fair bit of praise and has one of the best OCSP stapling implementations afaik(nginx isn't as good). You might be able to swap Traefik out for Caddy if it suits your needs? It doesn't look like this feature is going to be worked on any time soon.

[wibimaster]

Need this too... Why security task isn't on top priority for a proxy project ?

[georglauterbach]

What's the current status here?

[LeoniePhiline]

Is there a way to specifically sponsor this feature?

[aapelismith]

Holy shit , traffic , such a popular web server , does not support ocsp staping . This is like a joke . It is destined that traffic cannot be used in Asian countries , such as China , because these countries have government-supported firewalls , which often block ocsp staping providers .

[HenriqueOtsuka]

Anyone know about the current status of this feature?

[wookiesh]

According to immuniser ssl check it's non compliant with NIST guidelines. Any way to help getting this forward?

[J0WI]

https://github.com/golang/go/issues/51064#issuecomment-1070184302 contains a few hints

[strarsis]

What about the PR (https://github.com/traefik/traefik/pull/8393) that has been already linked to? What is missing for the PR to be merged?

[rtribotte]

Hello @strarsis,

Thanks for your interest in Traefik!

As mentioned in this comment on #8393, we want to address OCSP revocation first and come back later to OCSP stapling.

[tfny]

Oh man, it is very clear that this is a very wanted feature, and also clear that we have struggled with it. That is why this concept is a candidate for a bounty during the Traefik Proxy 3.0 Hackaethon! The goal for the version on the hackathon is just a little bit different, so I thought I would link you to the blog post that describes it so that you can check that out and maybe participate with us.

There will also be a more in-depth update on the issues associated with it coming soon.

This means that if the design and POC or the fully fleshed-out PR for this issue is accepted in the Hackaethon, the person or team behind doing it will receive $250 as well as a chance at the Grand Prize of $1000!

All accepted PRs and designs will receive a tshirt and stickers.

To learn more about the Traefik Proxy 3.0 Hackaethon, check out our blog post that covers the goals, rules, scoring criteria, and dates in detail.

To join us, sign-up here!

[fsdrw08]

Any update now?

[oscrx]

There is a very interesting thread about it here: https://github.com/cert-manager/cert-manager/issues/5785

[alesnav]

Hi there!

@ldez , does PR https://github.com/traefik/traefik/pull/8393 fix this issue?

Is there any problem or another issue with that as it is waiting more than a year since @alekitto merged the last update into it?

Thanks!