OCSP Stapling

[rugk]

It would be nice if ejabberd would support OCSP Stapling. Nowadays there is even a way to force this stapling via special certificates, but for this to work you should support OCSP Stapling.
OCSP Stapling is very much recommend and is going to be the default in the web today.

[zinid]

We have this in ebe (commercial version of ejabberd), I'm not sure if the featrue is supposed to be ported to open source version.

BTW, in the meantime Google is getting rid of OCSP support in Chrome :)

[rugk]

BTW, in the meantime Google is getting rid of OCSP support in Chrome :)

OCSP is different to OCSP Stapling. AFAIK "OCSP Stapling" is still used by Chrome if supplied.

In any way this is really a basic feature of TLS, so I'd highly suggest to make this available in the open source version. All web bigger web servers (see here) have it and for an XMPP server it would also be very useful.

[zinid]

OK, my bad, commercial version has pure "OCSP" support, i.e. it has PKIX client authentication support with OCSP/CRL validation.
OCSP Stapling looks like much better way to validate at least server certificates.

[rugk]

OCSP Stapling looks like much better way to validate at least server certificates.

It is also a much better solution concerning privacy (as the CA does not have to be contacted) and it is faster too.

[strugee]

I'm interested in working on this. My guess is that the change to fix this should be introduced in fast_tls, right?

[zinid]

I don't know. Maybe in fast_tls, maybe in xmpp_stream_pkix, depending on complexity.