OCSP stapling and OCSP Must-Staple

josh · August 20, 2019, 5:30pm

Hi folks,

Does anyone know if there’s a way to configure OCSP stapling and OCSP Must-Staple using Netlify? Thanks!

fool · August 21, 2019, 7:48pm

As far as I know, we do it automatically and there is nothing to enable. We definitely implemented it back in 2017 and I don’t see any indication that we turned it off later.

Do you not see it enabled for your site when you check it with https://ssllabs.com ?

josh · August 21, 2019, 8:20pm

Thanks for your response, Chris. Correct, SSL Labs shows that OCSP stapling is not enabled on my new Netlify site
stapling-off

luke · August 23, 2019, 8:41am

Hi, @josh. I know we do enable OCSP stapling for our SSL/TLS certificates, but not the OCSP Must Staple. If you require this, you can upload your own custom certificate in place of the one automatically provisioned by Netlify.

Again, the OCSP stapling itself is normally enabled for the automated Let’s Encrypt certificates Netlify adds to the site. Clearly, the screenshot is showing something different though.

If this isn’t working, would you please send us a link to the SSL Labs report for the domain name (possibly using a DM to @fool or myself if you don’t want to post the link publicly)?

josh · August 23, 2019, 9:25am

Hey @luke, thanks for this. Here is the SSL labs report for my site

luke · August 25, 2019, 3:03am

I apologize for providing incorrect information, @josh. We do not support OCSP stapling despite multiple statements to the contrary.

We did support this for a time but the change was rolled back because there were issues with our implementation. It was disabled until we could correct it.

We do have an open issue (feature request - enhancement) to enable OCSP stapling again. We’ll post an update here to let you known if/when this enhancement is completed and working again.

In the meantime, getting a custom certificate would be the only way to do this.

josh · August 25, 2019, 7:29am

Thanks for the update @luke

Unfortunately I’m not sure that custom certificates are a good solution here. OCSP responses have a short validity period so I would need to upload a new custom certificate every 2 or 3 days. I will stay tuned for updates on the feature request

Remzi · June 6, 2023, 10:52pm

Are there any updates on this? I hope that this feature gets implemented.

hrishikesh · June 11, 2023, 11:45am

No further updates, and based on the age of this feature request (coupled with almost no-demand), there’s little chance this gets implemented.

arion · April 2, 2024, 8:48pm

I’d like to nudge this feature request. Support for OCSP is starting to show up in security reviews. We’re getting dinged for using netlify as a host because of it. I’m negotiating with our customer to drop this as a requirement, but we might have to migrate our frontend hosting if they won’t.