Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for signed_certificate_timestamp TLS extension #448

Open
gschlager opened this issue Aug 18, 2015 · 7 comments
Open

Add support for signed_certificate_timestamp TLS extension #448

gschlager opened this issue Aug 18, 2015 · 7 comments

Comments

@gschlager
Copy link

@gschlager gschlager commented Aug 18, 2015

This is needed in order to support Certificate Transparency.

nginx already has a module for this: https://github.com/grahamedgecombe/nginx-ct
ct-submit can be used to submit a certificate to the log servers.

@kazuho

This comment has been minimized.

Copy link
Member

@kazuho kazuho commented Aug 19, 2015

Thank you for the suggestion.

Can you update your server certificate to one that includes the SCT X.509v3 extension? IMO it is the easiest and most portable way of adding Certificate Transparency support to your website. Or do you have any reason to use the TLS extension method?

I have no objection in providing support for the SCT TLS extension in H2O, but the support will be limited to OpenSSL; libressl does not provide the necessary interface to adding such extensions.

@gschlager

This comment has been minimized.

Copy link
Author

@gschlager gschlager commented Aug 19, 2015

Unfortunately StartSSL doesn't support the X509v3 Extension (and some other CA's support it only for their EV certificates).

Would be great if the TLS extension could be implemented so that it works with OpenSSL.

@kazuho

This comment has been minimized.

Copy link
Member

@kazuho kazuho commented Aug 20, 2015

Thank you for the clarification. Sounds reasonable.

@kazuho

This comment has been minimized.

Copy link
Member

@kazuho kazuho commented Aug 20, 2015

FWIW Let's Encrypt may embed CT extensions in its OCSP responses when they reach GA (letsencrypt/boulder#95).

@kazuho

This comment has been minimized.

Copy link
Member

@kazuho kazuho commented Oct 30, 2015

Reading Sustaining Digital Certificate Security we might need to raise priority for this issue.

we (Chrome) are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency.

@axelu

This comment has been minimized.

Copy link

@axelu axelu commented Jul 17, 2017

Is there an update in regards to providing support for signed_certificate_timestamp TLS extension? Reading here: https://community.qualys.com/thread/16972-how-is-certificate-checked-for-certificate-transparency
"About Let's Encrypt support for Certificate Transparency They are not providing SCT in Certificate X.509v3 extension. They have mentioned TLS Server owners who want to provide SCTs with their certificates should be able to fetch them directly from the CT logs and provide them via TLS extension."

@Jxck

This comment has been minimized.

Copy link
Contributor

@Jxck Jxck commented Dec 8, 2017

any updates ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.