New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: x/crypto/acme/autocert: enforce OCSP must staple #17390
Comments
My bad. I misread my report on ssllabs.com. We're not OCSP stapling. |
Actually, given OCSP must staple is standardized in RFC 7633, maybe we should staple OCSP responses and enforce OCSP must staple? |
I have no idea what this means. |
Please send a change list for review. |
Although, watch out what you wish for: #8549. OCSP must staple should probably be "opt in" at best. |
@x1ddos Precisely. But I think it'd be nice if acme/autocert also supported OCSP stapling. With OCSP must staple it actually makes things more secure. |
If anyone wants to explain what they're talking about here, it would be appreciated. Otherwise we should close this issue. |
I'll create a new issue where things are explained more clearly. edit: Created #17801 |
Given we automatically staple OCSP responses, I think it makes sense to enforce OCSP must staple on all certificates. If not, I think it should at least be configurable.
It looks like a pretty simple change: hlandau/acmetool@f19e712
The text was updated successfully, but these errors were encountered: