-
Notifications
You must be signed in to change notification settings - Fork 828
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for signed_certificate_timestamp TLS extension #448
Comments
Thank you for the suggestion. Can you update your server certificate to one that includes the SCT X.509v3 extension? IMO it is the easiest and most portable way of adding Certificate Transparency support to your website. Or do you have any reason to use the TLS extension method? I have no objection in providing support for the SCT TLS extension in H2O, but the support will be limited to OpenSSL; libressl does not provide the necessary interface to adding such extensions. |
Unfortunately StartSSL doesn't support the X509v3 Extension (and some other CA's support it only for their EV certificates). Would be great if the TLS extension could be implemented so that it works with OpenSSL. |
Thank you for the clarification. Sounds reasonable. |
FWIW Let's Encrypt may embed CT extensions in its OCSP responses when they reach GA (letsencrypt/boulder#95). |
Reading Sustaining Digital Certificate Security we might need to raise priority for this issue.
|
Is there an update in regards to providing support for signed_certificate_timestamp TLS extension? Reading here: https://community.qualys.com/thread/16972-how-is-certificate-checked-for-certificate-transparency |
any updates ? |
This is needed in order to support Certificate Transparency.
nginx already has a module for this: https://github.com/grahamedgecombe/nginx-ct
ct-submit can be used to submit a certificate to the log servers.
The text was updated successfully, but these errors were encountered: