Re: [users@httpd] Re: [EXTERNAL] Re: [users@httpd] OCSP Stapling Configuration Setup

[Quintin Ash <qa...@tenable.com.INVALID>]

Nothing that I could find in the documentation says that the OCSP stapling
does anything outside of that. The OCSP server will add that status to the
handshake / response. I guess is there a way to check that OCSP response
status in Apache and manually block this based on it?

——————————————————————————




Quintin Ash | Senior Software Engineer

Tenable Network Security

7021 Columbia Gateway Drive, Suite 500

Columbia, MD 21046

qash@tenable.com

W: 443-545-2101 ext. 472

tenable.com <http://www.tenable.com/>


On Mon, Apr 24, 2023 at 12:41 PM Eric Covener <co...@gmail.com> wrote:

> **** CAUTION: This email was sent from an EXTERNAL source. Think before
>> clicking links or opening attachments. ****
>> ------------------------------
>> I have added tracing and see that the OCSP is revoked. I guess my
>> question is, if the certificate is revoked, should Apache deny access to
>> the website? Because it is still allowing access even though the OCSP
>> server mentions that it's revoked.
>>
>
> Is there anything in the docs that implies OCSP stapling does anything but
> staple the OCSP response so the client can see it?
>
> Did it get added as an extension in the handshake or not?
>
>