OCSP stapling still impossible for lighthttpd?

Started by meyergru, November 24, 2024, 10:06:03 AM

Previous topic - Next topic
November 24, 2024, 10:06:03 AM Last Edit: November 24, 2024, 10:14:54 AM by meyergru
I just got the dreaded MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING error message, because my preferred certificate has OCSP stapling enabled. I want to use that feature, because my domain is used for other purposes as well with a wildcard certificate.

I found https://forum.opnsense.org/index.php?topic=26812, so is OCSP stapling still infeasible with lighthttpd?

Ah, apparently, the feature is available now: https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#OCSP-Stapling, I'll create a ticket.

Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 440 up, Bufferbloat A+

OCSP stapling has been available in lighttpd since lighttpd 1.4.56, released Nov 2020, which is 4 years ago.

Looks like you filed https://github.com/opnsense/core/issues/8084 with that info, too.

lighttpd provides a script to help retrieve OCSP stapling info from OCSP responders.
https://git.lighttpd.net/lighttpd/lighttpd1.4/src/branch/master/doc/scripts/cert-staple.sh

FYI: Let's Encrypt is shutting down its OCSP responders 6 Aug 2025.  No more OCSP stapling from Let's Encrypt after then.
https://letsencrypt.org/2024/12/05/ending-ocsp/

I just closed the feature request...
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 440 up, Bufferbloat A+