Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proposal: x/crypto/acme/autocert: enforce OCSP must staple #17390

Closed
nhooyr opened this issue Oct 9, 2016 · 9 comments
Closed

proposal: x/crypto/acme/autocert: enforce OCSP must staple #17390

nhooyr opened this issue Oct 9, 2016 · 9 comments
Labels
FrozenDueToAge

Comments

@nhooyr
Copy link
Contributor

nhooyr commented Oct 9, 2016

Given we automatically staple OCSP responses, I think it makes sense to enforce OCSP must staple on all certificates. If not, I think it should at least be configurable.

It looks like a pretty simple change: hlandau/acmetool@f19e712
@nhooyr
Copy link
Contributor Author

nhooyr commented Oct 9, 2016
edited

My bad. I misread my report on ssllabs.com. We're not OCSP stapling.

@nhooyr nhooyr closed this as completed Oct 9, 2016
@nhooyr
Copy link
Contributor Author

nhooyr commented Oct 9, 2016

Actually, given OCSP must staple is standardized in RFC 7633, maybe we should staple OCSP responses and enforce OCSP must staple?

@nhooyr nhooyr reopened this Oct 9, 2016
@adg
Copy link
Contributor

adg commented Oct 31, 2016

I have no idea what this means.

@robpike
Copy link
Contributor

robpike commented Oct 31, 2016

Please send a change list for review.

@x1ddos
Copy link

x1ddos commented Nov 3, 2016
edited

@nhooyr to clarify. By "configurable" do you mean just the OCSP must staple CSR extension? Because the rest is not related to acme/autocert. It's up to your TLS server.

Configurable certs seems like a good idea to me. Maybe #17744 could also benefit from it.

@x1ddos
Copy link

x1ddos commented Nov 3, 2016

Although, watch out what you wish for: #8549. OCSP must staple should probably be "opt in" at best.

@nhooyr
Copy link
Contributor Author

nhooyr commented Nov 3, 2016

@x1ddos Precisely. But I think it'd be nice if acme/autocert also supported OCSP stapling. With OCSP must staple it actually makes things more secure.

@robpike
Copy link
Contributor

robpike commented Nov 4, 2016

If anyone wants to explain what they're talking about here, it would be appreciated. Otherwise we should close this issue.

@nhooyr
Copy link
Contributor Author

nhooyr commented Nov 4, 2016
edited

I'll create a new issue where things are explained more clearly.

edit: Created #17801

@nhooyr nhooyr closed this as completed Nov 4, 2016
@golang golang locked and limited conversation to collaborators Nov 4, 2017
@rsc rsc unassigned x1ddos Jun 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@x1ddos @robpike @adg @gopherbot @nhooyr