unbound icon indicating copy to clipboard operation
unbound copied to clipboard

Published 20 hours ago verified publisher icon NLnetLabs

Add OCSP stapling support

Open yegle opened this issue 5 years ago • 3 comments

Can we add OCSP stapling support in the response to avoid a deadlock in running DNS-over-TLS only Unbound server?

It's currently not supported. I see NSD recently got ocsp stapling support so presumably it would be trivial.

OCSP stapling test output:

$ openssl s_client -connect my-dns-server:853 -tls1_3  -tlsextdebug  -status
CONNECTED(00000003)
...
OCSP response: no response sent
...

yegle avatar Jun 24 '19 03:06 yegle

Note w/o OCSP stapling in the response, it will likely get into a deadlock where the client have to resolve the OCSP server hostname to validate the certificate, but it can't because you have to trust the server to send the DNS query.

This deadlock is mentioned in the DNS-over-HTTPS RFC. Given that, can we prioritize the work here a little bit?

yegle avatar Jul 18 '19 20:07 yegle

Let's Encrypt certificates require OCSP stapling, so this missing feature prevents use of LE certificates (in conforming environments, where the client will correctly honor the cert's OCSP requirement).

EDIT: I was wrong; LE offers OCSP-must-staple on certificates but does not require it. Unbound serves TLS properly with an LE cert that does not have the OCSP-must-staple extension enabled.

bradleeedmondson avatar Apr 27 '21 14:04 bradleeedmondson

On OPNsense context, this would be awesome feature :)

olmari avatar Mar 12 '22 16:03 olmari