Topic: Letsencrypt: Prevent MITM with TLS and OCSP

[fred]

Hi,
some Enterprises use Client-Side Software to break SSL-Traffic.
This is done by installing CA's to the local Clients CA-Store to simulate a legit SSL-Connection, but then sniffing (MITM) the 'secure connection'.
You can easily see this when looking at the Certificate-Issuer inside your current browser and comparing it to the visited site name itself. If the CA-Issuer isnt publicy known (self signed), you should wonder.
You can prevent breaking this by creating letsencrypt-certs with the OCSP '--must-staple'-Option.
By this the apache2 sends the CA-confirmation via its TLS-Stream and the client doesnt need to check against his local ca-certs and if its 'not ok', the browser throws a error.

[James Blond]

I always install my certs by hand and not always use Let's encreypt. What does --must-staple to the apache config file?

[fred]

I install them also by hand and before letsencrypt i had zero experiences with 'real ca's'.
That '--must staple' is a parameter while creating letsencrypt-certs and i dont know how you can recreate this on any other 'ssl-providers'.
On the apache2-side you dont need any additional config-options, because that 'must-staple'-state is enforced by the cert itself.
You can check if its currenty running for ex. with dev.ssllabs.com.
When its enabled its tells it in the first part of the rest-result: "OCSP Must Staple Supported"