Add support for signed_certificate_timestamp TLS extension

[gschlager]

This is needed in order to support Certificate Transparency.

nginx already has a module for this: https://github.com/grahamedgecombe/nginx-ct
ct-submit can be used to submit a certificate to the log servers.

[kazuho]

Thank you for the suggestion.

Can you update your server certificate to one that includes the SCT X.509v3 extension? IMO it is the easiest and most portable way of adding Certificate Transparency support to your website. Or do you have any reason to use the TLS extension method?

I have no objection in providing support for the SCT TLS extension in H2O, but the support will be limited to OpenSSL; libressl does not provide the necessary interface to adding such extensions.

[gschlager]

Unfortunately StartSSL doesn't support the X509v3 Extension (and some other CA's support it only for their EV certificates).

Would be great if the TLS extension could be implemented so that it works with OpenSSL.

[kazuho]

Thank you for the clarification. Sounds reasonable.

[kazuho]

FWIW Let's Encrypt may embed CT extensions in its OCSP responses when they reach GA (letsencrypt/boulder#95).

[kazuho]

Reading Sustaining Digital Certificate Security we might need to raise priority for this issue.

we (Chrome) are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency.

[axelu]

Is there an update in regards to providing support for signed_certificate_timestamp TLS extension? Reading here: https://community.qualys.com/thread/16972-how-is-certificate-checked-for-certificate-transparency
"About Let's Encrypt support for Certificate Transparency They are not providing SCT in Certificate X.509v3 extension. They have mentioned TLS Server owners who want to provide SCTs with their certificates should be able to fetch them directly from the CT logs and provide them via TLS extension."

[Jxck]

any updates ?