Following the blog post of Mozilla security blog Improving Revocation: OCSP Must-Staple and Short-lived Certificates I was wondering if Let’s Encrypt will implement the RFC 7633 (OCSP Must-Staple TLS Feature Extension)? I think it’s not reasonable expect that Let’s Encrypt implement it for all cert…

Ah, I thought flipping it in boulder-config.json was enough, but now I see it’s /test/boulder-config.json in the commit… :unamused: Didn’t look good enough, my bad!

No worries! I know people are excited for this feature, it’s just a matter of time and priorities. :slightly_smiling:

Must Staple is now enabled in staging. If you want to use the official client, you can pull the must-staple branch locally and pass the --must-staple flag, or you can generate your own CSR and use the --csr flag with one of the released client versions. We’ll probably enable it in production someti…

I’ll try it tomorrow! :smiley: Thank you very much! It’s a pity though Google won’t support it in Chromium/Chrome… Yet… :frowning:

@jsha For some reason, when I put an invalid feature in the TLS Feature Extension attribute in the CSR, Boulder answers with Error: urn:acme:error:serverInternal :: The server experienced an internal error :: Error creating new cert. I confirmed a Must-Staple TLS Feature Extension CSR can be signed…

@osiris : This bug is now fixed on staging. Please try again.

@jsha Hi, is the must-staple feature in production yet ? [image] jsha: We'll probably enable it in production sometime Thursday. And if anyone know : How to simply check if a certificate has the OCSP must-staple attribute? - Information Security Stack Exchange ?

Not yet, sorry. Our Ops team has been busy.

Hi i found two points: I added an new DNS record for the test. But the server (staging) toggle between the old IP and the new one. Even old and new one had an DNS TTL of 60sec. The CSR i Generated always cause an Internal Server Error on the acme side. Any hints ? CSR: MIIBUzCB1wIBADAZMRcwFQYDV…

Improving revocation : will Let's Encrypt support OCSP Must-staple?

Feature Requests

jsha March 24, 2016, 5:13pm 20

Thanks for reporting! I’ve filed a bug, we’ll fix it: https://github.com/letsencrypt/boulder/issues/1650

Topic		Replies	Views
What will happen to Must-Staple Issuance Policy	33	3461	August 26, 2024
Sunsetting of OCSP in favor of older technology? Issuance Policy	24	3028	August 31, 2024
Requesting feedback on a draft email for subscribers currently using OCSP must-staple Site Feedback	26	792	March 20, 2025
How to change cert to enable TLSv1.3 Help	31	10493	October 24, 2021
What is the relationship between the revoking list and OCSP Stapling? Site Feedback	45	4768	March 6, 2022

Improving revocation : will Let's Encrypt support OCSP Must-staple?

Related topics