OCSP stapling support #212
Comments
nmengin
added
priority/P1
|
I'm assuming there is still no OCSP stapling support in traefik? This would be a nice performance enhancement for clients that properly support OCSP. |
|
I am a bit confused about the ticket description since I expected generic OCSP stapling support given the ticket title ("OCSP stapling support"). What is the relationship of OCSP stapling with ACME? Is there any OCSP stapling support in traefik already? I was not able to find anything in the docuentation about it. |
|
As far as I understand there is indeed no OCSP stapling support in Traefik yet. I also tried to verify that on my own Traefik setup and as far as Qualy's SSL Labs test is concerned, it does report missing OCSP stapling support. |
|
current status from code : |
|
@alemairebe if I understand the code correctly though that is just for the integrated ACME client. What about certificates that are loaded into the configuration externally, like from file providers? (My understanding of this issue is that it is for all of TLS configuration, not just ACME.) |
|
@icedream yes indeed , sorry , my comment was for requesting certificates with OCSP extension enabled. |
|
OCSP stapling support was added in the recently released version 1.11 of Go. It would be awesome if you could start implementing this feature in Traefik now. |
|
Would be also cool to have a slightly cleverer implementation than Apache/nginx. They're both lazily requesting these OCSP stapling requests (and also throwing them away too quickly), which results in OCSP errors where there wouldn't be necessary :) This post explains the issue around this very well (and there are also some helpful links for further information/implementation in it). |
|
nginx supports a cache file and you can use your own preferred method and time interval to update OCSP responses. |
|
Hello, what is the status regarding this support right now? Even with the LetsEncrypt support, there is no documentation about it. The code snippet from v1.7 mentioned earlier has moved to a new location on v2/master, but is still set to false: https://github.com/containous/traefik/blob/master/pkg/provider/acme/provider.go#L30-L33 The referenced lego repo seems to describe it as a CLI flag, I'm not a Go dev, so not sure what is involved to support it, does it just need that bool set to true? Can we get that enabled now, or make it a configurable? The lego repo resolved the issue with this commit from 2016. |
|
Hello, This issue is related to two different things:
|
|
@polarathene See an earlier comment of mine to the effect of this particular setting. This only covers the first point of @alesnav's response, but not the second part. |
|
@icedream ACME(and thus the common LetsEncrypt) stapling support is still better than none at all. That boolean should be configurable or enabled now. Getting support beyond providers that support ACME certs would still be nice, but shouldn't need to be a blocker for ACME to use stapling? EDIT: Ah, I've misunderstood. There is no point enabling
Go's TLS support does seem to cover OCSP Stapling though? I'm not a Go dev, so this is about as much as I can "help". The following afaik support OCSP Stapling, so digging into their code for implementation should reveal what needs to be done to contribute a PR to Traefik to provide the same functionality?(These are all Go projects, although Caddy I think kind of competes with Traefik/Nginx functionality)
So for anyone who's experienced with Go, perhaps CertMagic is the way to go, referencing how Caddy uses it? Since Traefik already handles TLS, I guess that'd be too invasive of a change, you might just need to reference the OCSP Stapling logic? |
|
@polarathene I didn't exactly think about it but if As you can see the TLS support only goes as far as to provide a placeholder byte slice to be filled with the respective OCSP response. The logic still needs to be implemented by Traefik itself as far as I know about Golang. |
dduportal
added
priority/P2
|
This is apparently a blocker for being able to fully meet the HIPAA or NIST Guidelines for TLS, too. Both of them require OCSP Stapling support. |
|
I would also like to see OCSP stapling support in Traefik. |
|
any news update? |
|
We do need this enhancement since there is ongoing connectivity issue in LE. No progress was made in months. |
|
@songrijie an alternative for now would be to have nginx or similar handle HTTPS and then handover to Traefik. That way you could handle OCSP stapling I think and still use Traefik for routing. Alternatively there is Caddy which released v2 recently. It's received a fair bit of praise and has one of the best OCSP stapling implementations afaik(nginx isn't as good). You might be able to swap Traefik out for Caddy if it suits your needs? It doesn't look like this feature is going to be worked on any time soon. |
This comment has been minimized.
This comment has been minimized.
|
What's the current status here? |
|
Is there a way to specifically sponsor this feature? |
This comment has been minimized.
This comment has been minimized.
|
Anyone know about the current status of this feature? |
|
According to immuniser ssl check it's non compliant with NIST guidelines. Any way to help getting this forward? |
|
golang/go#51064 (comment) contains a few hints |
|
What about the PR (#8393) that has been already linked to? |
This comment was marked as outdated.
This comment was marked as outdated.
tfny
added
the
contributor/wanted
|
Any update now? |
|
There is a very interesting thread about it here: cert-manager/cert-manager#5785 |
and others
Let's Encrypt for example also provides a lightweight chain file for OCSP stapling
(nginx e.g. supports this with option
stapling_verify).So the user should be able to provide a chain file (like nginx
ssl_trusted_certificateoption) for traefik.The text was updated successfully, but these errors were encountered: