OCSPStaple should be updated by server after it expiration.
Today we can't update it directly without data races, and the only one workaround is use tls.Config.GetCertificate and return certificate with OCSPStaple populated.
Can we add SetOCSPStaple function with mutex to tls.Certificate (just like SetSessionTicketKeys) to simplify this?
The text was updated successfully, but these errors were encountered:
Chatted with @agl about this. tls.Certificate is occasionally passed by value (e.g., tls.LoadX509KeyPair returns a Certificate; tls.Config.Certificates is a tls.Certificate). So we would end up copying mutexes in a few places. AFAICT this is technically okay because copies would be made shortly after initialization (i.e. before anyone could reasonably call SetOCSPStaple). Though I don't know if this would pass review.
Alternatively, we could add a GetOCSPStable callback, returning a staple for a given certificate. But would either solution really add much convenience over using GetCertificate? Maybe improving documentation of Certificate.OCSPStaple is a better solution.
Based on the lack of movement since the acceptance 3 years ago and the implementation difficulties noted above, and also the general lack of activity on this issue, this now seems like a likely decline.