Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCSP Stapling support for Kestrel #4762

Closed
Tratcher opened this issue Jan 5, 2018 · 13 comments
Closed

OCSP Stapling support for Kestrel #4762

Tratcher opened this issue Jan 5, 2018 · 13 comments
Assignees
@adityamandaleeka
Labels
affected-very-few This issue impacts very few customers area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions enhancement This issue represents an ask for new feature or an enhancement to an existing one feature-kestrel severity-nice-to-have This label is used by an internal tool
Milestone
7.0-rc1

Comments

@Tratcher
Copy link
Member

Tratcher commented Jan 5, 2018

From @rsrinivasanhome on January 5, 2018 13:28

Does Kestrel Support OCSP Stapling ? I am not able to find any links on google.

Copied from original issue: aspnet/AspNetCoreModule#283
@samsosa
Copy link
Contributor

samsosa commented Jan 6, 2018

No, Kestrel doesn't support OCSP Stapling but Microsoft IIS since version 8.0 use this configuration by default.

@muratg
Copy link
Contributor

muratg commented Feb 21, 2018

After chatting with @shirhatti, putting this tentatively in 3.0.0.

@muratg
Copy link
Contributor

muratg commented Nov 16, 2018

cc @blowdart

@aspnet-hello aspnet-hello transferred this issue from aspnet/KestrelHttpServer Dec 13, 2018
@aspnet-hello aspnet-hello added this to the Backlog milestone Dec 13, 2018
@zigszigsdk
Copy link

I assume that this was not added in 3.0.0. Any idea when we'll see it?

@Tratcher
Copy link
Member Author

No, it's on the backlog. What scenarios would this unblock for you?

Do we have a design proposal for this? As a TLS feature would this require changes to SslStream?

@zigszigsdk
Copy link

It's not currently a block for anything. I was looking into a site-report from https://www.ssllabs.com/, and wanted to see if I could simply just do it. As this thread was the first proper that popped up, and still lacked an update since 3.0.0 was released, I thought it was proper to request an update - since others might also find this thread as I did.

@Tratcher
Copy link
Member Author

Depends on SslStream dotnet/runtime#33377

@davidfowl davidfowl mentioned this issue May 5, 2020
Closed
14 tasks
@jkotalik jkotalik added affected-very-few This issue impacts very few customers enhancement This issue represents an ask for new feature or an enhancement to an existing one severity-nice-to-have This label is used by an internal tool labels Nov 13, 2020 — with ASP.NET Core Issue Ranking
@Tratcher Tratcher modified the milestones: Backlog, .NET 7 Planning Oct 29, 2021
@adityamandaleeka adityamandaleeka changed the title Query Does Kestrel support OCSP Stapling OCSP Stapling support for Kestrel Jan 29, 2022
@adityamandaleeka adityamandaleeka mentioned this issue Jan 29, 2022
Closed
@adityamandaleeka
Copy link
Member

Tentatively putting this in Preview 7 since the runtime-side dependencies are nearly done. cc: @bartonjs

@bartonjs
Copy link
Member

bartonjs commented Jun 3, 2022

@adityamandaleeka For Windows the server side is something I haven't figured out. SChannel's documentation says it's on by default unless the context is set up for doing SNI... but either something's not working or I'm really good at losing race conditions in my test efforts.

For Linux it's enabled for servers using SslStream that present their certificates via SslStreamCertificateContext objects, provided that they didn't set offline:true when they built it. (Starting in preview 7, or current builds out of main).

macOS and mobile are not in scope, they get big question marks (if it worked already then it still works; if not, it doesn't)

@adityamandaleeka
Copy link
Member

Ahh, okay. Let us know when the Windows issues are figured out (sounds like you're actively investigating that so hopefully Preview 6 or 7?).

@adityamandaleeka
Copy link
Member

@bartonjs Any update on this?

@bartonjs
Copy link
Member

Nope

@adityamandaleeka adityamandaleeka modified the milestones: 7.0-preview7, 7.0-rc1 Jul 6, 2022
@adityamandaleeka adityamandaleeka self-assigned this Aug 3, 2022
@adityamandaleeka
Copy link
Member

Sounds like this is now done: dotnet/runtime#33377 and there's no known work for us to do in Kestrel for this to light up.

If the TLS Server is running Windows, then SChannel is supposed to just provide OCSP stapling with no extra work on our part, and that applies to all .NET versions.

If the TLS Server is running Linux, then OCSP Stapling requires .NET 7, because we had to do work to enable it on Linux.

For all OSes it requires that the CA uses OCSP, and that the TLS Server’s network policy permits it to talk to the OCSP endpoint appropriate to the certificate.

@ghost ghost locked as resolved and limited conversation to collaborators Sep 9, 2022
@amcasey amcasey added area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions and removed area-runtime labels Jun 2, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@adityamandaleeka adityamandaleeka

Labels
affected-very-few This issue impacts very few customers area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions enhancement This issue represents an ask for new feature or an enhancement to an existing one feature-kestrel severity-nice-to-have This label is used by an internal tool
Projects
None yet
Milestone
7.0-rc1
Development

No branches or pull requests
9 participants
@adityamandaleeka @zigszigsdk @muratg @Tratcher @jkotalik @amcasey @bartonjs @samsosa @aspnet-hello