schoen

Per #5643 , this would also be useful for courier-imap.

Thanks, @tallero!

@bmw, could you please take a look at this feature request?

Hi @hynek, The core OCSP query feature would be just making an OCSP query on the basis of a given X509 object (automatically extracting the responder URI and sending the...

(The HTTP headers could just be a dict and they could just be returned in a tuple with the OCSP response object. Ideally the OCSP response would already be parsed...

We have to be very careful about how this interacts with people's cert pinning strategies. In particular, if people achieve their pinning with `--key-path /etc/letsencrypt/archive/example.com/privkey1.pem`, their renewals would later fail...

As an update, a colleague gave me an estimate which indicated that over 10% of TLS key exchanges in a particular context are non-PFS and hence would benefit from the...

Hi @TomAnthony, Thanks! That's some functionality that we never got around to adding anywhere. One thing that I'm mindful of is that we originally named some of these Certbot options...

Oh, and I've demonstrated this by getting confused about whether this option *changes* the renewal configuration file on disk, or simply overrides it for the current invocation of Certbot when...

This seems to be straightfoward to do, but is also a pretty serious DoS possibility when combined with autorenewal (because the autorenewer doesn't have the ability to deploy new DANE...