proposal: crypto/tls: add SetOCSPStaple function #14878
Comments
gregory-m
changed the title
|
/cc @agl |
rakyll
changed the title
|
Ping @agl. Does this make sense? |
|
Ping |
|
Yes, this makes sense. I had originally expected people to atomically switch the |
bradfitz
changed the title
|
Chatted with @agl about this. Alternatively, we could add a |
|
How's it going with this issue? There hasn't been much activity since early December 2016, but the proposal was accepted, or are we too late in the cycle to do anything? |
|
This didn't get implemented, and GetCertificate and GetConfigForClient became the standard way to update anything in the server configuration. Caddy for example uses it to dynamically set OCSPStaple. I think we should not add complexity to tls.Certificate, nor yet another callback. Reverting the Proposal-Accepted and passing it to the proposal committee. |
FiloSottile
added
Proposal-Crypto
|
I also poked the code after it was accepted, and I don't see good way to implement it without rewriting huge part of code because of problems mentioned by @kreichgauer. |
|
Based on the lack of movement since the acceptance 3 years ago and the implementation difficulties noted above, and also the general lack of activity on this issue, this now seems like a likely decline. Leaving open for a week for final comments. |
rsc
changed the title
|
No change in consensus, so declined. |
OCSPStapleshould be updated by server after it expiration.Today we can't update it directly without data races, and the only one workaround is use
tls.Config.GetCertificateand return certificate withOCSPStaplepopulated.Can we add
SetOCSPStaplefunction with mutex totls.Certificate(just likeSetSessionTicketKeys) to simplify this?Thanks.
The text was updated successfully, but these errors were encountered: