Provide an option to use OCSP Must Staple

Question

Provide an option to use OCSP Must Staple

pkubaj opened this issue 8 years ago · comments

Let's Encrypt now provides an option to use OCSP Must Staple, which enforces the use of OCSP Stapling on certificate level (letsencrypt/boulder#989 (comment)).

Acme-client doesn't provide such option yet.

Kristaps Dz · Answer 1 · Sat Jan 28 2017 23:36:26 GMT+0800 (China Standard Time)

For the record, I don't do feature requests. So don't make them again without a patch to show for it.

That said, OCSP is now part of LE, so I've added the right goop. I've only verified that the staging server gives back the magical certificate bits, not that they do anything. So please check for yourself with a real domain and report back. Consider it penance for not having submitted a patch. :)

Piotr Kubaj · Answer 2 · Mon Jan 30 2017 00:56:14 GMT+0800 (China Standard Time)

I've tested both production and staging server. Unfortunately both certificates don't have Must Staple. I've checked X509v3 extensions on both new certs and the old certs and they are the same.

SSLLabs test also says that the new cert doesn't have the Must Staple flag.

Kristaps Dz · Answer 3 · Mon Jan 30 2017 00:58:01 GMT+0800 (China Standard Time)

Did you use -O when invoking acme-client?

Piotr Kubaj · Answer 4 · Mon Jan 30 2017 00:59:43 GMT+0800 (China Standard Time)

Of course, I used the following flags: -vnNfFOs (no "s" when testing with production server).

Kristaps Dz · Answer 5 · Mon Jan 30 2017 01:00:33 GMT+0800 (China Standard Time)

You should be seeing this (given openssl -text -in on OpenBSD 6.0):

X509v3 Subject Alternative Name: 
    DNS:foo.bar, DNS:www.foo.bar
1.3.6.1.5.5.7.1.24: 
    0....

Are you seeing the 1.3.6.1... string?

Kristaps Dz · Answer 6 · Mon Jan 30 2017 01:07:11 GMT+0800 (China Standard Time)

I was able to get OCSP stapling with the following.

doas ./acme-client -vsNnO -c testing -f testing/acct.pem -k testing/domain.pem divelog.blue www.divelog.blue

Then no OCSP with the following:

doas ./acme-client -vsNn -c testing2 -f testing2/acct.pem -k testing2/domain.pem divelog.blue www.divelog.blue

Verified when I run

openssl x509 -text -noout -in testing/cert.pem > testing/cert.pem.txt
openssl x509 -text -noout -in testing2/cert.pem > testing2/cert.pem.txt
diff -u testing/cert.pem.txt testing2/cert.pem.txt

The diff has the 1.3.6... bits.

Piotr Kubaj · Answer 7 · Mon Jan 30 2017 01:21:43 GMT+0800 (China Standard Time)

I have the following:
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1

Thing is, exactly the same Certificate Policies were present in previous certificate, generated in December :)

Kristaps Dz · Answer 8 · Mon Jan 30 2017 01:32:19 GMT+0800 (China Standard Time)

Read exactly what I wrote. Those OIDs are different and in a different section of the certificate. The OCSP stapling request is in the certificate X509v3 extensions. See http://security.stackexchange.com/questions/119316/how-to-simply-check-if-a-certificate-has-the-ocsp-must-staple-attribute for details.

Piotr Kubaj · Answer 9 · Mon Jan 30 2017 03:01:28 GMT+0800 (China Standard Time)

Thanks, I've tried again and it seems to work. I had double -f options by accident which may be why it didn't work before.