powered by Jive Software

OCSP stappling support

how to correct the “error” introduced in Chrome v68, which throws an NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED error.

for most webservers, the solution is to enable OCSP stapling.

What is the origin of your inquiry?
ssl connection in chrome broken.

When did you become aware of this?
upon deployment of chrome v68

What Ignite Realtime product is this related to?

Openfire, Version: 4.2.3

What is your problem exactly? Are you not able to login to Admin Console with the latest Chrome version? What certificates do you use? Custom or provided by Openfire?

Chrome v68 has started to throw this msg:

Your connection is not private
Attackers might be trying to steal your information from im.domain.net (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED

On other webservers we simply enabled the feature “OCSP stapling” to get around this.

We do use official certs from Swisssign with OCSP enabled.

So, do you get this error connecting to Admin Console or where exactly?

Yes.

Let me refine the question a bit. Does the webserver support OCSP stapling or do I need to re-issue the cert with pre-cert option instead of OCSP?

https://www.swisssign.com/en/news/reminder-certificate-transparency-ct-mandatory-in-chrome-from-version-68.html

Openfire uses Jetty as a webserver. I couldn’t find much on Jetty + OCSP. Only this came up https://stackoverflow.com/questions/49904935/jetty-9-enable-ocsp-stapling-for-domain-validated-certificate and based on this thread it seems that there are not many OCSP settings in Jetty.