-
moparisthebest
> Do people have certificate revocation checks (CRL or OCSP) enabled by default on their servers? Guus: those are dead right? As in already or being deprecated by the CA forum ↺
-
Guus
moparisthebest: are they? Let's Encrypt seems to have mothballed CRL, but I don't think OCSP?
-
moparisthebest
Guus: oops it's backwards from what you said https://letsencrypt.org/2024/07/23/replacing-ocsp-with-crls.html
-
Guus
I believe that they once wrote... That.
-
Guus
Oh, no, that's a different article
-
Guus
There's another article where they write, iirc, that CRL is only available as chunked data submitted to major browser vendors.
-
Guus
Their CRL endpoint seems to not work (or our code does not).
-
moparisthebest
Guus: this one maybe? https://letsencrypt.org/2022/09/07/new-life-for-crls/
-
Menel
Interesting. Maybe because nobody implemented must_staple
-
moparisthebest
Because that just means everything is broken if their ocsp endpoint is down when your server comes up?
-
Maranda
☝️
-
nuegia.net
I tried forcing OSCP stapling in a browser ounce. It didn't work well because the uptime of these CA endpoints isn't all that great.
-
Menel
I've I lt actually working on my websites without issues. But apache2 MD module is one that actually works good. Good caching, goot to setup etc. From my research that time there are issues in many implementations on many Webservers