[27] OCSP Stapling は、 TLS handshake において OCSP応答を TLSサーバーからTLSクライアントへと送信するものです。 これによってクライアントは別途 OCSPサーバーに照会することなくサーバー証明書が失効していないか確認できます。
[63] OCSP応答はいくつでも含めることができますが、 通常は1つだけ (中間証明書のものは含めない) とするようです。
[30] OCSP must-staple は、 OCSP stapling を必須とする証明書のフラグです。
[66]
tlsfeature
証明書拡張に値
5
を指定することにより、有効となります。
[31] TLS のサーバー証明書で OCSP must-staple が有効な場合、 当該 TLS handshake で OCSP stapling によって証明書の有効性を検証できない場合、 失敗しとして扱わなければなりません。
[40] Let's Encrypt などいくつかの CA が must-staple フラグ付き証明書を発行している (フラグを付けるオプションを提供している) ようです。 OpenSSL で must-staple フラグ付き証明書を発行できます。
[67] しかし実際にフラグを立てた証明書はなかなか見かけません。
[41] クライアントとしては Firefox が対応しています。 Chrome は対応の予定が無いようです >>37。
[69] 以来数年が経過し、状況が変わる見込みはなさそうです。この技術は失敗したと考えていいのかもしれません。
[29] OCSP stapling を利用した Webサイトの例:
[38] OCSP stapling + must-staple の例:
[23] OCSP Multi-Stapling もあります。
[2] Security/Server Side TLS - MozillaWiki ( 版) https://wiki.mozilla.org/Security/Server_Side_TLS#OCSP_Stapling
[3] CA:RevocationPlan - MozillaWiki ( ()) https://wiki.mozilla.org/CA:RevocationPlan
[4] OCSP Stapling in Firefox | Mozilla Security Blog ( ()) https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
[5] Improving Revocation: OCSP Must-Staple and Short-lived Certificates | Mozilla Security Blog ( ()) https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/
[6] ImperialViolet - No, don't enable revocation checking ( (Adam Langley著, )) https://www.imperialviolet.org/2014/04/19/revchecking.html
[7] draft-hallambaker-muststaple-00 - X.509v3 Extension: OCSP Stapling Required ( ()) https://tools.ietf.org/html/draft-hallambaker-muststaple-00
[10] OCSP Must-Staple と OCSP Multi-Stapling、及び OneCRL|サイバートラスト ( ()) https://www.cybertrust.ne.jp/journal/ocsp-must-staple-ocsp-multi-stapling-onecrl.html
[11] Improving revocation : will Let's Encrypt support OCSP Must-staple? - Feature Requests - Let's Encrypt Community Support () https://community.letsencrypt.org/t/improving-revocation-will-lets-encrypt-support-ocsp-must-staple/4334/
[12] Issue 572734 - chromium - Support for OCSP Must-staple - Monorail ( ()) https://bugs.chromium.org/p/chromium/issues/detail?id=572734
[68] Reporting for OCSP stapling ("Expect-OCSP") [41246003] - Chromium, https://issues.chromium.org/issues/41246003
[13] 901698 – implement OCSP-must-staple (off by default) ( ()) https://bugzilla.mozilla.org/show_bug.cgi?id=901698
[14] [websec] Requiring OCSP Stapling as a directive in HSTS ( ()) https://www.ietf.org/mail-archive/web/websec/current/msg02297.html
[15] 921907 – Enable OCSP must-staple feature ( ()) https://bugzilla.mozilla.org/show_bug.cgi?id=921907
[16] JEP 249: OCSP Stapling for TLS ( ()) http://openjdk.java.net/jeps/249
[17] Bug 50740 – Enable OCSP Stapling by default ( ()) https://bz.apache.org/bugzilla/show_bug.cgi?id=50740
[18] 360420 – Implement OCSP Stapling in libSSL ( ()) https://bugzilla.mozilla.org/show_bug.cgi?id=360420
[19] gecko-dev/NSSCertDBTrustDomain.cpp at master · mozilla/gecko-dev ( ()) https://github.com/mozilla/gecko-dev/blob/master/security/certverifier/NSSCertDBTrustDomain.cpp
[24] OpenSSL ( (OpenSSL Foundation, Inc.著, )) https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_tlsext_status_cb.html
[25] OpenSSL ( (OpenSSL Foundation, Inc.著, )) https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_tlsext_status_cb.html
[26] nginx/ngx_event_openssl_stapling.c at master · nginx/nginx ( ()) https://github.com/nginx/nginx/blob/master/src/event/ngx_event_openssl_stapling.c
[33] Diff - 6c7aed048ca0a335e02dfee10976c5dc8620783e^! - boringssl - Git at Google ( ()) https://boringssl.googlesource.com/boringssl/+/6c7aed048ca0a335e02dfee10976c5dc8620783e%5E!/
[34] Support the TLS Feature (aka Must Staple) X.509v3 extension (RFC7633). by robstradling · Pull Request #495 · openssl/openssl ( ()) https://github.com/openssl/openssl/pull/495
[35] DigiCert OCSP-Stapling Improves NGINX Server Security | DigiCert Blog ( ()) https://blog.digicert.com/digicert-ocsp-stapling-improves-nginx-security/
[36] How to simply check if a certificate has the OCSP must-staple attribute? - Information Security Stack Exchange ( ()) http://security.stackexchange.com/questions/119316/how-to-simply-check-if-a-certificate-has-the-ocsp-must-staple-attribute
[37] Feature request: OCSP Must Staple (RFC 7633) - Google グループ ( ()) https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/-pB8IFNu5tw
[42] Add support for OCSP Must-Staple · Issue #249 · ebekker/ACMESharp () https://github.com/ebekker/ACMESharp/issues/249
[43] Improving revocation : will Let's Encrypt support OCSP Must-staple? - Feature Requests - Let's Encrypt Community Support () https://community.letsencrypt.org/t/improving-revocation-will-lets-encrypt-support-ocsp-must-staple/4334/25
[44] Support OCSP must staple · Issue #104 · jetstack/kube-lego () https://github.com/jetstack/kube-lego/issues/104
[45] OCSP Must-Staple (TLS Feature extension) · Issue #3891 · pyca/cryptography () https://github.com/pyca/cryptography/issues/3891
[46] /docs/manmaster/man5/x509v3_config.html (OpenSSL Foundation, Inc.著, ) https://www.openssl.org/docs/manmaster/man5/x509v3_config.html#TLS-Feature-aka-Must-Staple
[47] High-reliability OCSP stapling and why it matters () https://blog.cloudflare.com/high-reliability-ocsp-stapling/
[49] OCSP Expect-Staple - Google ドキュメント () https://docs.google.com/document/d/1aISglJIIwglcOAhqNfK-2vtQl-_dWAapc-VLDh-9-BE/edit#heading=h.rkpittae54q
[50] 1323141 - tryLater OCSP response causes hard failure when stapled () https://bugzilla.mozilla.org/show_bug.cgi?id=1323141
[51] How to Resolve the "Secure Connection Failed" Certificate Error in Firefox | Alexander's Blog () https://www.zubairalexander.com/blog/how-to-resolve-the-secure-connection-failed-error-in-firefox/
[52] Can not access gogs.io by Firefox · Issue #3606 · gogits/gogs () https://github.com/gogits/gogs/issues/3606
[53] TLS/OSCP Issues on gogs.io with Firefox · Issue #3793 · gogits/gogs () https://github.com/gogits/gogs/issues/3793
[54] OCSP server sending expired responses + stapling breaks Chrome - Help - Let's Encrypt Community Support () https://community.letsencrypt.org/t/ocsp-server-sending-expired-responses-stapling-breaks-chrome/23964
[55] OCSP stapling should not be green "Yes" for sites with revoked certificates · Issue #142 · ssllabs/ssllabs-scan () https://github.com/ssllabs/ssllabs-scan/issues/142
[57] An error occurred during a connection to tools.usps.com. Invalid OCSP signing certificate in OCSP response. Error code: SEC_ERROR_OCSP_INVALID_SIGNING_CERT | Firefox Support Forum | Mozilla Support () https://support.mozilla.org/bm/questions/1179899
[58] 727255 - Invalid OCSP stapled responses don't cause a spec-mandated connection abort - chromium - Monorail () https://bugs.chromium.org/p/chromium/issues/detail?id=727255
[59] Security FAQ - The Chromium Projects () https://dev.chromium.org/Home/chromium-security/security-faq#TOC-What-s-the-story-with-certificate-revocation-
[60] ocsp-stapling.md () https://gist.github.com/sleevi/5efe9ef98961ecfb4da8
[61] 50740 – Enable OCSP Stapling by default () https://bz.apache.org/bugzilla/show_bug.cgi?id=50740
[65] RFC 7633 には Transport Layer Security (TLS) Extensions () https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml に IANA登録簿があると書いてあるが、 実際には存在せず、 他の場所にも見当たらず。