Mailcow-dockerized: OCSP stapling
Hello,
Could 'OCSP stapling' (for webserver only) perhaps be enabled (by standart) in your configurations? :)
Thanks.
omexlu
All 3 comments
We had a pull request for stapling (not must-staple) two years ago: https://github.com/mailcow/mailcow-dockerized/pull/1688. We didn鈥檛 go ahead with it because some people had concerns. I don鈥榯 think there is any risk as Nginx should just stop stapling when the OCSP server is unreachable, but I haven鈥榯 tried.
OCSP is of limited use though as browsers tend to only check against their internal revocation databases (OneCRL, CRLset, ...) nowadays. Plus our certificates are only valid for 90 days, so the damage a compromised certificate can do is limited to that time. Of course, OCSP stapling reduces it to one day, but it鈥榮 still much better than 3 years or whatever was common on certificates before Let鈥榮 Encrypt.
mkuron
on 21 Jun 2020
Hm, okay, maybe your team think about it again :)
omexlu
on 21 Jun 2020
Please decide this on your own for your personal installation.
I agree with mkuron here. :)
andryyy
on 21 Jun 2020
Related issues
patrick7
路
3Comments
GalacticLion7
路
3Comments
CrAazZyMaN21
路
3Comments
lgleim
路
3Comments
Braintelligence
路
3Comments
Most helpful comment
We had a pull request for stapling (not must-staple) two years ago: https://github.com/mailcow/mailcow-dockerized/pull/1688. We didn鈥檛 go ahead with it because some people had concerns. I don鈥榯 think there is any risk as Nginx should just stop stapling when the OCSP server is unreachable, but I haven鈥榯 tried.
OCSP is of limited use though as browsers tend to only check against their internal revocation databases (OneCRL, CRLset, ...) nowadays. Plus our certificates are only valid for 90 days, so the damage a compromised certificate can do is limited to that time. Of course, OCSP stapling reduces it to one day, but it鈥榮 still much better than 3 years or whatever was common on certificates before Let鈥榮 Encrypt.