ISRG root test pages do not use OCSP stapling


#1

The Let’s Encrypt certificate page show a few “test pages” for a few possible scenarios with regard of the end leaf certificate.

Among those, there’s a test page for a revoked leaf certificate: https://revoked-isrgrootx1.letsencrypt.org/

Unfortunately, this page works perfectly in Chrome. This because Chrome doesn’t query for OCSP responses by default, because this is cause for privacy infractions, among others.

And… The Let’s Encrypt server doesn’t use OCSP Stapling… :cry: :

osiris@desktop ~ $ openssl s_client -connect revoked-isrgrootx1.letsencrypt.org:443 -servername revoked-isrgrootx1.letsencrypt.org -status
CONNECTED(00000003)
OCSP response: no response sent
...

So… My question to the Let’s Encrypt technical staff:

  • Is OCSP Stapling disabled with a reason?
  • If so, what’s that reason?

By the way: someone renewed the “”“expired”"" certificate :stuck_out_tongue_winking_eye: :

osiris@desktop ~ $ echo -n "" | openssl s_client -connect expired-isrgrootx1.letsencrypt.org:443 -servername expired-isrgrootx1.letsencrypt.org 2>/dev/null | openssl x509 -noout -text | grep -E "Not After|DNS"
            Not After : Feb 15 01:13:00 2017 GMT
                DNS:expired-isrgrootx1.letsencrypt.org
osiris@desktop ~ $

#2

I’m not aware of any specific reason. I put in a ticket with our operations team to see about enabling it but its a low priority item behind lots of immediately pressing ones :slight_smile:. Thanks for the suggestion.

Oops! I opened a ticket for this as well. Thanks for catching that.


#3

Understandable :slight_smile: Perhaps a temporary warning on the page itself about OCSP Stapling would make sense?


#4

That’s a useful suggestion too - thank you! I’ll see whether that can be done with more expedience.


#5

We both missed some text on the expired page :laughing: :

NOTE: We know that this certificate has not yet expired. On 14 Feb 2017 the certificate will be expired and this site will properly demonstrate an expired certificate.

We’re deliberately waiting that one out - the policies we’re audited under won’t allow us to sign a deliberately expired certificate.


#6

:flushed: Whoops… Missed that indeed :hushed:


#7

I submitted a PR to add the note you suggested. Thanks!


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.