ACMESharp icon indicating copy to clipboard operation
ACMESharp copied to clipboard
verified publisher icon ebekker

Add support for OCSP Must-Staple

Open rhymeswithmogul opened this issue 8 years ago • 2 comments

Are there any plans to add support for RFC 7633 (the OCSP Must-Staple extension) to ACMESharp in a future release? Let's Encrypt now supports CSR's with that flag set.

OCSP stapling allows supporting Web servers to automatically fetch OCSP responses, and include them with the TLS handshake to improve the revocation process. IIS 7.0 and higher have this feature enabled by default. The Must-Staple extension goes further, and fails any connection that does not include a valid response.

rhymeswithmogul avatar May 02 '17 13:05 rhymeswithmogul

Sounds like a great addition, if anyone has any interest in contributing the necessary changes needed to implement this with BouncyCastle -- please do!

ebekker avatar Aug 01 '17 22:08 ebekker

Nice resource about this: https://scotthelme.co.uk/ocsp-must-staple/

The code in BouncyCastleProvider.cs should look something like this I suppose:

if (OCSPMustStaple) { attrs.Add(new DerObjectIdentifier("1.3.6.1.5.5.7.1.24"), new DerOctetString(new byte[] { 0x30, 0x03, 0x02, 0x01, 0x05 })); ); }

WouterTinus avatar Mar 01 '18 06:03 WouterTinus