cryptcheck OCSP support

Hi,

Could you support OCSP?

It would be really cool to know after a TLS scan if OCSP is correctly enabled.

@angristan will be very happy too.

Thanks, HLFH

Jan 19 '16 18:01 HLFH

Yep that would be a great feature

Jan 19 '16 18:01 angristan

OCSP is not a server-side feature, but a browser (OCSP request) + CA (OCSP URL inside signed certificate) side.

Only OCSP stapling (not OCSP standalone) can be check server side. Possible to implement, waiting for PR ? :D

Jan 19 '16 18:01 aeris

@aeris You could tag this issue as backlog and feature request until @Angristan or me will do the PR.

Jan 19 '16 19:01 HLFH

Seems OpenSSL in ruby don’t have code to access OCSP information

Jan 19 '16 19:01 aeris

@aeris With execJS + Node.js + OCSP APIs for Node.js, could we do that?

Jan 19 '16 20:01 HLFH

No way I touch Javascript ! And very complicated to include into existing code by the way.

Jan 19 '16 20:01 aeris

Seems to not really implement OCSP stapling but only request server (CA or content) outside TLS context. More equivalent to OCSP standalone (specific request without real content query) than OCSP stapling (revocation data included during handshake for real content)

For correct scoring, we need to check real browser handshake / request and not specific traffic.

Jan 19 '16 20:01 aeris

Some Perl code: https://github.com/h2o/h2o/blob/master/share/h2o/fetch-ocsp-response

Some Python code: https://github.com/tatsuhiro-t/nghttp2/blob/master/script/fetch-ocsp-response

Some other Python code: https://github.com/iSECPartners/sslyze/blob/master/plugins/PluginCertInfo.py

Does that help? Or is that off-topic?

Jan 19 '16 20:01 HLFH

Off-topic, this is standalone OCSP, not stapling. Currently not doable without ruby openssl extension patch, OCSP stapling API not available at this time.

Jan 19 '16 20:01 aeris

What about must-staple?

Jun 29 '16 12:06 tdelmas