unbound
unbound copied to clipboard
Add OCSP stapling support
Can we add OCSP stapling support in the response to avoid a deadlock in running DNS-over-TLS only Unbound server?
It's currently not supported. I see NSD recently got ocsp stapling support so presumably it would be trivial.
OCSP stapling test output:
$ openssl s_client -connect my-dns-server:853 -tls1_3 -tlsextdebug -status
CONNECTED(00000003)
...
OCSP response: no response sent
...
Note w/o OCSP stapling in the response, it will likely get into a deadlock where the client have to resolve the OCSP server hostname to validate the certificate, but it can't because you have to trust the server to send the DNS query.
This deadlock is mentioned in the DNS-over-HTTPS RFC. Given that, can we prioritize the work here a little bit?
Let's Encrypt certificates require OCSP stapling, so this missing feature prevents use of LE certificates (in conforming environments, where the client will correctly honor the cert's OCSP requirement).
EDIT: I was wrong; LE offers OCSP-must-staple on certificates but does not require it. Unbound serves TLS properly with an LE cert that does not have the OCSP-must-staple extension enabled.
On OPNsense context, this would be awesome feature :)