From 20b25167d7834de2be42b6fcac3022c7a935773b Mon Sep 17 00:00:00 2001 From: Seirdy Date: Thu, 12 Dec 2024 19:25:47 -0500 Subject: [PATCH] feat: short-lived certs always pass OCSP checks (#42) Firefox skips OCSP checks for certs younger than the number of days specified in security.pki.cert_short_lifetime_in_days (10 by default), which makes sense because OCSP stapling is redundant for short-lived certs. Revocation is only applicable to long-lived certs with lifetimes measured in weeks or longer. Ready now exhibits the same behavior. --- ready/checks/ssl.py | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/ready/checks/ssl.py b/ready/checks/ssl.py index b34097e..2a3ca76 100644 --- a/ready/checks/ssl.py +++ b/ready/checks/ssl.py @@ -259,14 +259,23 @@ def check_ssl_certificate_should_provide_ocsp_must_staple(responses, **kwargs): loaded = x509.load_der_x509_certificate(certificate) has_must_staple_extension = False - for extension in loaded.extensions: - # see https://github.com/sesh/ready/issues/15 for details - if extension.oid.dotted_string == "1.3.6.1.5.5.7.1.24": - has_must_staple_extension = True + msg = "missing extension" + + lifetime_days = (loaded.not_valid_after - loaded.not_valid_before).days + if lifetime_days < 10: + has_must_staple_exension = True + msg = "certificate is short-lived; missing extension" + + else: + for extension in loaded.extensions: + # see https://github.com/sesh/ready/issues/15 for details + if extension.oid.dotted_string == "1.3.6.1.5.5.7.1.24": + has_must_staple_extension = True + msg = "includes extension" return result( has_must_staple_extension, - f"SSL certificate should provide OCSP must-staple ({'missing' if not has_must_staple_extension else 'includes'} extension)", + f"Long-lived SSL certificate should provide OCSP must-staple ({msg})", "ssl_ocsp_must_staple", warn_on_fail=True, **kwargs,