question

raymond-4469 avatar image
0 Votes"
raymond-4469 asked MSfan-1740 answered

Server Lacks OCSP Stapling

Export Target
https://login.microsoftonline.com/

Description
The affected servers do not return their SSL certificate's revocation status information via OCSP Stapling.

OCSP stapling is a feature that can be enabled in most web servers to provide clients (such as browsers or mobile Apps) connecting to the server over HTTPS with the information needed to ensure that the certificate has not been revoked. Certificates can be revoked for a variety of reasons, including the compromise of the SSL key or when a certificate was mistakenly issued. Giving HTTPS clients the ability to check for revocation can mitigate the impact of invalid or compromised certificates, in specific attack scenarios.

Additionally, Apple has mentioned OCSP Stapling as a security mechanism that should now be deployed on mobile endpoints, in the "Your Apps and Evolving Network Security Standards" session of the WWDC 2017 conference and the "What is New in Security" session of the WWDC 2016 conference:

"OCSP Stapling is a standard that has been out for a couple of years, but we think that now is the time for folks to actually move to it and start adopting it because support for it is now quite widespread."

This could imply that OCSP Stapling will eventually become a requirement for iOS Apps to be accepted on the App Store.

Recommendation
Update the affected mobile endpoints’ configuration to enable support for OCSP Stapling. Most modern web servers including Apache and nginx support stapling.

azure-webapps
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@raymond-4469, can you please verify what Azure services you are using?

Azure Web Apps, which is the product tag you used, supports OCSP stapling. I double checked by testing my Azure issued SSL cert that is bound to my Azure Web App in ssllabs and it verified that OCSP stapling was supported.

We look forward to receiving more information on the services that you are using.

0 Votes 0 ·

Hi @brtrach-MSFT, thanks for your reply.

We are using Intune SDK which depends on ADAL to authenticate with Azure, is that same as Azure Web Apps?

0 Votes 0 ·

1 Answer

MSfan-1740 avatar image
0 Votes"
MSfan-1740 answered

Any updates on this?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.