I think the requests will get failed if the client can't access to the CRL endpoint.
Please continue provide the OCSP stapling.
In China or some limited network(Such as companies or schools) if the government block the CRL domain the certificate will not be useable for some non browser clients. It's harmful to the internet.
That depends on the client. With OCSP many clients (like many browsers) would ignore problems accessing OCSP and allow connection anyway.
Let's Encrypt stopped putting OCSP URLs in its certificates this past May6. The OCSP servers themselves were shutoff in Aug. See this notice from Dec 2024: Ending OCSP Support in 2025 - Let's Encrypt
And this blog from Aug6 this year: OCSP Service Has Reached End of Life - Let's Encrypt
Governments could also have blocked the OCSP domains. This is no different. Are there particular TLS clients you are concerned about?
Let's Encrypt believes the lack of privacy with OCSP to be worth it. Not to mention OCSP did not provide the reliable way to detect cert revocation that people expected. There was considerable discussion of this when first announced last year.
Please read the Aug6 blog post.
4 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.