Future of OCSP Stapling?

[mdavids]

Let's Encrypt has announced this:

https://letsencrypt.org/2024/12/05/ending-ocsp/

Does this require a change on the internet.nl test?

[bwbroersma]

The OCSP stapling is in the current NCSC TLS guidelines, which are currently in review.
OCSP stapling is only relevant if there is an OCSP server to query, OCSP is made optional by SC63 Make OCSP optional, require CRLs, and incentivize automation.

There are already some test certificates, e.g. test1.pki.microsoft.com that do not have OID 1.3.6.1.5.5.7.48.1 (Online Certificate Status Protocol (OCSP)) (found with Censys, note this excludes key usage Time stamping and OCSP, since these also don't have this OID). See:

$ openssl s_client -showcerts -connect test1.pki.microsoft.com:443 -verify_quiet </dev/null 2>/dev/null | openssl x509 -noout -ocsp_uri

Internet.nl website test of test1.pki.microsoft.com still produces an ℹ️ informational/notice, even though OCSP (stapling) is not possible.

Probably this should be extended with a new state for not available:

Internet.nl/checks/models.py

Lines 79 to 82 in 0a16ff7

	class OcspStatus(Enum):
	ok = 0
	good = 1
	not_trusted = 2

It should be noted that some browsers have OCSP checking by default off, and e.g. use combined CRLSets.
See the table at How Do Browsers Handle Revoked SSL/TLS Certificates?

Related, Internet.nl currently does not check for revocation by checking OCSP, CRL or CRLSet/CRLite:

• Certification Revocation List (CRL) / Online Certification Status Protocol (OCSP) checks #59 (comment)

Another thing I wonder: could you also staple a revoked OCSP response, and get a ✅?

[bwbroersma]

This is rewritten in the sslyze, so only fix this in the tls-update.
Release date with this fix is ideally before the 7th of May 2025.