On 03-03-16 14:23, Gedalya wrote: > On 03/03/2016 08:17 AM, dove...@flut.demon.nl wrote: >> On 03-03-16 14:09, Gedalya wrote: >>> On 03/03/2016 07:30 AM, Stephan Bosch wrote: >>>> BTW, I can imagine that Thunderbird can already do that, as it shares much >>>> of the Firefox code base. >>> Thunderbird definitely does validate certificates via OCSP, enabled by >>> default and I've run into that the hard way a couple of times wrt StartSSL >>> having issues with their responder. This isn't hypothetical, guys.... >> OCSP status querying isn't the same as verifying stapled OCSP responses >> though. Can't find Thunderbird's support for stapling unfortunately.. > No, it's not the same, but the claim was no use of OCSP at all. > Either way, this guy claims Thunderbird uses stapling, but with HTTP? > http://mobilesociety.typepad.com/mobile_life/2015/03/ocsp-stapling-and-android-that-doesnt-care.html > As Stephan pointed out, it's the same code base as Firefox. If someone can > name an IMAP server that supports stapling, we could test it. Hmm, that article does mention the request of OCSP status during the TLS session handshake and I can confirm this on my own Thunderbird: the `ClientHello` handshake part *does* include a "status_request" extension of the type OCSP.
So we can assure Andreas there're clients out there who use it :)
