Modern Net::SSLeay docs indicate this should be possible. Basically we need to set the extension to request the staple, and then check afterwards that it's a valid staple, with some configurable timing constraints on the NotBefore/NotAfter window, as well as validity of the stapling cert, etc. Given expected refresh behaviors, we probably want to be able to WARN if NotBefore gets old (e.g. >75m), and then CRIT if NotAfter is less than X hours from expiry.
|Declined||None||T165455 Go from "E" to "A+" on Securityheaders.io|
|Declined||None||T92002 implement Public Key Pinning (HPKP) for Wikimedia domains|
|Resolved||BBlack||T148131 Deploy redundant unified certs|
|Resolved||BBlack||T93927 Make OCSP Stapling support more generic and robust|
|Resolved||BBlack||T148490 Extend check_sslxnn to check OCSP Stapling|