On 03-03-16 14:09, Gedalya wrote:> On 03/03/2016 07:30 AM, Stephan Bosch wrote: >> BTW, I can imagine that Thunderbird can already do that, as it shares much of the Firefox code base. > Thunderbird definitely does validate certificates via OCSP, enabled by default and I've run into that the hard way a couple of times wrt StartSSL having issues with their responder. This isn't hypothetical, guys....OCSP status querying isn't the same as verifying stapled OCSP responses though. Can't find Thunderbird's support for stapling unfortunately..
On 03/03/2016 08:17 AM, dovecot at flut.demon.nl wrote:> On 03-03-16 14:09, Gedalya wrote: >> On 03/03/2016 07:30 AM, Stephan Bosch wrote: >>> BTW, I can imagine that Thunderbird can already do that, as it shares much of the Firefox code base. >> Thunderbird definitely does validate certificates via OCSP, enabled by default and I've run into that the hard way a couple of times wrt StartSSL having issues with their responder. This isn't hypothetical, guys.... > OCSP status querying isn't the same as verifying stapled OCSP responses > though. Can't find Thunderbird's support for stapling unfortunately..No, it's not the same, but the claim was no use of OCSP at all. Either way, this guy claims Thunderbird uses stapling, but with HTTP? http://mobilesociety.typepad.com/mobile_life/2015/03/ocsp-stapling-and-android-that-doesnt-care.html As Stephan pointed out, it's the same code base as Firefox. If someone can name an IMAP server that supports stapling, we could test it.
On 03-03-16 14:23, Gedalya wrote:> On 03/03/2016 08:17 AM, dovecot at flut.demon.nl wrote: >> On 03-03-16 14:09, Gedalya wrote: >>> On 03/03/2016 07:30 AM, Stephan Bosch wrote: >>>> BTW, I can imagine that Thunderbird can already do that, as it shares much of the Firefox code base. >>> Thunderbird definitely does validate certificates via OCSP, enabled by default and I've run into that the hard way a couple of times wrt StartSSL having issues with their responder. This isn't hypothetical, guys.... >> OCSP status querying isn't the same as verifying stapled OCSP responses >> though. Can't find Thunderbird's support for stapling unfortunately.. > No, it's not the same, but the claim was no use of OCSP at all. > Either way, this guy claims Thunderbird uses stapling, but with HTTP? > http://mobilesociety.typepad.com/mobile_life/2015/03/ocsp-stapling-and-android-that-doesnt-care.html > As Stephan pointed out, it's the same code base as Firefox. If someone can name an IMAP server that supports stapling, we could test it.Hmm, that article does mention the request of OCSP status during the TLS session handshake and I can confirm this on my own Thunderbird: the `ClientHello` handshake part *does* include a "status_request" extension of the type OCSP. So we can assure Andreas there're clients out there who use it :)