These are chat archives for IndySockets/Indy

13th
Dec 2016
Jeroen Wiert Pluimers
@jpluimers
Dec 13 2016 07:32
@rlebeau https://en.wikipedia.org/wiki/OCSP_stapling a mechanism for checking the revocation of certificates.
Ludwig Behm
@lbehm
Dec 13 2016 08:55
@rlebeau OCSP is the replacement for CRL. The basic concept is that the user-agent looks in the certificate definition, finds a OCSP server address, and asks them if the certificate is still valid.
Now we have the problem, that these OCSP servers haven't that great uptime. Here comes OCSP Stapling to the rescue: It's basically a TLS extension in the HTTPS connection. The HTTPS web server checks it's certificates for an OCSP server. If found, then he, the web server, asks the OCSP server every now and then for the validity of the certificate (signed with a timestamp from the CA), and passes it to the user-agent when a connection is established.
If everything works well the user-agents finds that signed OCSP-response and doesn't have to query and wait for a response from a hard-to-reach 3rd party.
Btw: It also improves user privacy - the 3rd party (CA/OCSP server) can't see anymore which server is browsed.
Ludwig Behm
@lbehm
Dec 13 2016 09:03
I already looked at some implementations in nginx and openssl s_server.... and gave up - that's just very strange stuff in openssl...