Re: Re: [EXTERNAL] Re: [users@httpd] OCSP Stapling Configuration Setup (Apache Users)

Re: Re: [EXTERNAL] Re: [users@httpd] OCSP Stapling Configuration Setup

Date Prev

Date Next

Thread Prev

Thread Next

Date Index

Thread Index

To: users@xxxxxxxxxxxxxxxx

Subject: Re: Re: [EXTERNAL] Re: [users@httpd] OCSP Stapling Configuration Setup

From: Quintin Ash <qash@xxxxxxxxxxxxxxxxxxxxxxx>

Date: Wed, 3 May 2023 12:12:27 -0400

In-reply-to: <CALK=YjP6CbD2bcA84kW=Bk-W0NTsuaUuEYL5Xv_tfHmsjiszbA@mail.gmail.com>

Reply-to: users@xxxxxxxxxxxxxxxx

Nothing that I could find in the documentation says that the OCSP stapling does anything outside of that. The OCSP server will add that status to the handshake / response. I guess is there a way to check that OCSP response status in Apache and manually block this based on it?

——————————————————————————

Quintin Ash | Senior Software Engineer

Tenable Network Security

7021 Columbia Gateway Drive, Suite 500

Columbia, MD 21046

qash@xxxxxxxxxxx

W: 443-545-2101 ext. 472

tenable.com

On Mon, Apr 24, 2023 at 12:41 PM Eric Covener <covener@xxxxxxxxx> wrote:

*** CAUTION: This email was sent from an EXTERNAL source. Think before clicking links or opening attachments. ***

I have added tracing and see that the OCSP is revoked. I guess my question is, if the certificate is revoked, should Apache deny access to the website? Because it is still allowing access even though the OCSP server mentions that it's revoked.

Is there anything in the docs that implies OCSP stapling does anything but staple the OCSP response so the client can see it?

Did it get added as an extension in the handshake or not?