feat: short-lived certs always pass OCSP checks (#42)

Firefox skips OCSP checks for certs younger than the number of days specified in security.pki.cert_short_lifetime_in_days (10 by default), which makes sense because OCSP stapling is redundant for short-lived certs. Revocation is only applicable to long-lived certs with lifetimes measured in weeks or longer. Ready now exhibits the same behavior.
sesh · Dec 13, 2024 · 20b2516 · 20b2516
1 parent bfce67b
commit 20b2516
Showing 1 changed file with 14 additions and 5 deletions.
diff --git a/ready/checks/ssl.py b/ready/checks/ssl.py
@@ -259,14 +259,23 @@ def check_ssl_certificate_should_provide_ocsp_must_staple(responses, **kwargs):
     loaded = x509.load_der_x509_certificate(certificate)
 
     has_must_staple_extension = False
-    for extension in loaded.extensions:
-        # see https://github.com/sesh/ready/issues/15 for details
-        if extension.oid.dotted_string == "1.3.6.1.5.5.7.1.24":
-            has_must_staple_extension = True
+    msg = "missing extension"
+
+    lifetime_days = (loaded.not_valid_after - loaded.not_valid_before).days
+    if lifetime_days < 10:
+        has_must_staple_exension = True
+        msg = "certificate is short-lived; missing extension"
+
+    else:
+        for extension in loaded.extensions:
+            # see https://github.com/sesh/ready/issues/15 for details
+            if extension.oid.dotted_string == "1.3.6.1.5.5.7.1.24":
+                has_must_staple_extension = True
+                msg = "includes extension"
 
     return result(
         has_must_staple_extension,
-        f"SSL certificate should provide OCSP must-staple ({'missing' if not has_must_staple_extension else 'includes'} extension)",
+        f"Long-lived SSL certificate should provide OCSP must-staple ({msg})",
         "ssl_ocsp_must_staple",
         warn_on_fail=True,
         **kwargs,