OCSP Stapling

[Nothing4You]

Please implement OCSP Stapling.
This is especially useful to 1. reduce load of OCSP servers and 2. prevent privacy leaks of who is connecting to your host towards the OCSP server.

[biergaizi]

+1.

[robert-scheck]

Any chance?

[brunoos]

I don't know how hard is to implement this.
I'm focused on university stuffs, I need to find free time for it.

[mimi89999]

Hello,
Are there any news on this?

[brunoos]

Sorry, I confess I did not look anything about it. I will try to find time to see it.

[Zash]

I started some exploratory coding in https://github.com/Zash/luasec/tree/ocsp that I believe manages a partial client-side OCSP check. No idea how to do the server-side parts yet, or how to check the cert for the must-staple flag.

[WhyNotHugo]

ocspcheck from openbsd fetches an ocsp response and can save it into a file. httpd can be configured to read these pre-fetched ocsp responses and stamp them.

Its source might be a useful reference: https://github.com/openbsd/src/tree/master/usr.sbin/ocspcheck

It's also possible to follow a similar design, where the OCSP response is read from the file and stamped into responses, without having to re-implement fetching them.