XMPP Service Operators - 2024-11-27


  1. moparisthebest

    > Do people have certificate revocation checks (CRL or OCSP) enabled by default on their servers? Guus: those are dead right? As in already or being deprecated by the CA forum

  2. Guus

    moparisthebest: are they? Let's Encrypt seems to have mothballed CRL, but I don't think OCSP?

  3. moparisthebest

    Guus: oops it's backwards from what you said https://letsencrypt.org/2024/07/23/replacing-ocsp-with-crls.html

  4. Guus

    I believe that they once wrote... That.

  5. Guus

    Oh, no, that's a different article

  6. Guus

    There's another article where they write, iirc, that CRL is only available as chunked data submitted to major browser vendors.

  7. Guus

    Their CRL endpoint seems to not work (or our code does not).

  8. moparisthebest

    Guus: this one maybe? https://letsencrypt.org/2022/09/07/new-life-for-crls/

  9. Menel

    Interesting. Maybe because nobody implemented must_staple

  10. moparisthebest

    Because that just means everything is broken if their ocsp endpoint is down when your server comes up?

  11. Maranda

    ☝️

  12. nuegia.net

    I tried forcing OSCP stapling in a browser ounce. It didn't work well because the uptime of these CA endpoints isn't all that great.

  13. Menel

    I've I lt actually working on my websites without issues. But apache2 MD module is one that actually works good. Good caching, goot to setup etc. From my research that time there are issues in many implementations on many Webservers