Current time: 12-16-2018, 06:56 AM Hello There, Guest! (LoginRegister)

Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
OCSP revocation check despite stapled response
03-17-2018, 02:12 AM
Post: #1
OCSP revocation check despite stapled response
Hey!

This test is showing an OCSP revocation check (making sure the site's certificate is still legit), even though the tcpdump shows crutchfield.com responding to the TLS handshake request with a signed OCSP response "stapled" on.

On 3G it's causing an extra 1s for the TLS handshake (performance killer).

What could be causing the browser to ignore the stapled OCSP response.

Thanks,
Michael
Find all posts by this user
Quote this message in a reply
03-19-2018, 04:44 AM
Post: #2
RE: OCSP revocation check despite stapled response
Creditkarma.com and overstock.com also have the same problem. They both use extended validation certificates. Is something about the browser configuration forcing a revocation check even though the OCSP response is stapled?
Find all posts by this user
Quote this message in a reply
03-23-2018, 11:40 PM
Post: #3
RE: OCSP revocation check despite stapled response
Turns out the OCSP check is on the intermediate certificate. https://www.webpagetest.org/forums/showt...?tid=14075

The question now is, why can't I reproduce this locally? The OCSP check shows up in the tcpdump for the WPT results... but not in a trace generated locally.
Find all posts by this user
Quote this message in a reply
04-13-2018, 01:12 AM
Post: #4
RE: OCSP revocation check despite stapled response
have you had any luck making progress on this?

i've read a few places that most browsers don't make revocation checks but i am observing the same behavior with WPT - with OCSP Stapling enabled EV certificates the revocation check is always made.

I've wiresharked sessions with chrome/FF and don't see the OCSP check being made and am wondering if this is specific to WPT and can safely be ignored.
Find all posts by this user
Quote this message in a reply
04-13-2018, 04:20 PM
Post: #5
RE: OCSP revocation check despite stapled response
Where did you hear that browsers don't make revocation checks? Chrome won't if you don't have an EV certificate but as long as your site is using EV certficates all browsers will do revocation checks.

The only question at this point is if revocation checks for intermediary certificates get cached or not (leading to how frequently they would get checked).
Visit this user's website Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)