security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

handle Let's Encrypt removing OCSP support

Browse Source 
We can no longer use OCSP stapling and Must-Staple. These will soon be
obsolete once the `shortlived` profile is available for public use since
it will provide certificates with a similar lifetime as OCSP responses.

In the meantime, we've moved to the `tlsserver` profile stripping legacy
features to prepare for the `shortlived` profile which will be identical
to `tlsserver` but with a validity period of 6 days.
This commit is contained in:
Daniel Micay 2025-05-04 21:57:41 -04:00
parent c57490de09
commit 298c357bc9
3 changed files with 0 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
certbot-replicate
View File

@ -11,7 +11,6 @@ for replica in ${replicas[@]}; do
echo echo
rsync -rpcvl --delete --fsync --preallocate /etc/letsencrypt/ $replica:/etc/letsencrypt && rsync -rpcvl --delete --fsync --preallocate /etc/letsencrypt/ $replica:/etc/letsencrypt &&
rsync -rpcvl --delete --fsync --preallocate /var/cache/certbot-ocsp-fetcher/ $replica:/var/cache/certbot-ocsp-fetcher &&
ssh root@$replica nginx -s reload || ssh root@$replica nginx -s reload ||
status=1 status=1
done done

5
nginx/nginx.conf
View File

@ -66,11 +66,6 @@ http {
ssl_session_timeout 1d; ssl_session_timeout 1d;
ssl_buffer_size 4k; ssl_buffer_size 4k;
ssl_trusted_certificate /etc/letsencrypt/live/grapheneos.org/chain.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_stapling_file /var/cache/certbot-ocsp-fetcher/grapheneos.org.der;
log_format main '$connection-$connection_requests $remote_addr $remote_user $ssl_session_reused $ssl_protocol $server_protocol ' log_format main '$connection-$connection_requests $remote_addr $remote_user $ssl_session_reused $ssl_protocol $server_protocol '
'$host $request_method "$request_uri" $status $request_length $body_bytes_sent/$bytes_sent ' '$host $request_method "$request_uri" $status $request_length $body_bytes_sent/$bytes_sent '
'$request_time $upstream_connect_time/$upstream_header_time/$upstream_response_time ' '$request_time $upstream_connect_time/$upstream_header_time/$upstream_response_time '

1
static/features.html
View File

@ -1489,7 +1489,6 @@
when sending mail including alert messages from the attestation service</li> when sending mail including alert messages from the attestation service</li>
<li>SSHFP across all domains for pinning SSH keys</li> <li>SSHFP across all domains for pinning SSH keys</li>
<li>Static key pinning for our services in apps like Auditor</li> <li>Static key pinning for our services in apps like Auditor</li>
<li>Our web services use robust OCSP stapling with Must-Staple</li>
<li>No persistent cookies or similar client-side state for anything other than <li>No persistent cookies or similar client-side state for anything other than
login sessions, which are set up securely using <code>SameSite=Strict</code>, login sessions, which are set up securely using <code>SameSite=Strict</code>,
<code>Secure</code>, <code>HttpOnly</code>, and <code>Path=/</code> flags, prefixed with <code>Secure</code>, <code>HttpOnly</code>, and <code>Path=/</code> flags, prefixed with