Modern Net::SSLeay docs indicate this should be possible. Basically we need to set the extension to request the staple, and then check afterwards that it's a valid staple, with some configurable timing constraints on the NotBefore/NotAfter window, as well as validity of the stapling cert, etc. Given expected refresh behaviors, we probably want to be able to WARN if NotBefore gets old (e.g. >75m), and then CRIT if NotAfter is less than X hours from expiry.
Description
Description
Details
Details
Related Changes in Gerrit:
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| check_ssl: support OCSP Stapling | operations/puppet | production | +44 -0 | |
| check_sslxNN: require OCSP stapling | operations/puppet | production | +2 -2 |
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Declined | None | T92002 implement Public Key Pinning (HPKP) for Wikimedia domains | |||
| Resolved | BBlack | T148131 Deploy redundant unified certs | |||
| Resolved | BBlack | T93927 Make OCSP Stapling support more generic and robust | |||
| Resolved | BBlack | T148490 Extend check_sslxnn to check OCSP Stapling |
Event Timeline
Comment Actions
Change 318931 had a related patch set uploaded (by BBlack):
check_ssl: support OCSP Stapling and related
Comment Actions
Change 318932 had a related patch set uploaded (by BBlack):
check_sslxNN: require OCSP stapling