Op 3-3-2016 om 13:04 schreef A. Schulze:> > dovecot: > >> So I would like to know if Dovecot is planning to feature OCSP stapling. >> That way I know for sure my "must staple" certificates can be used by >> Dovecot. And in my opinion, every TLS offering daemon should be up to >> par to the capabilities of TLS.. Not lag behind :) >> >> What's your opinion on this matter? > > OCSP stapling [c|s]hould be implemented on a server if clients *use* > that data. > For WebBrowser this is true. > > But I'm not aware of any MUA or MTA that validate certificates via OCSP.BTW, I can imagine that Thunderbird can already do that, as it shares much of the Firefox code base. At least it should be relatively easy to add/enable there. Regards, Stephan.
On 03/03/2016 07:30 AM, Stephan Bosch wrote:> BTW, I can imagine that Thunderbird can already do that, as it shares much of the Firefox code base.Thunderbird definitely does validate certificates via OCSP, enabled by default and I've run into that the hard way a couple of times wrt StartSSL having issues with their responder. This isn't hypothetical, guys....
On 03-03-16 14:09, Gedalya wrote:> On 03/03/2016 07:30 AM, Stephan Bosch wrote: >> BTW, I can imagine that Thunderbird can already do that, as it shares much of the Firefox code base. > Thunderbird definitely does validate certificates via OCSP, enabled by default and I've run into that the hard way a couple of times wrt StartSSL having issues with their responder. This isn't hypothetical, guys....OCSP status querying isn't the same as verifying stapled OCSP responses though. Can't find Thunderbird's support for stapling unfortunately..