Caddy 2 tls must_staple

1. My Caddy version (caddy version):

v2.0.0-rc.3 h1:z2H/QnaRscip6aZJxwTbghu3zhC88Vo8l/K57WUce4Q=

The page tls (Caddyfile directive) — Caddy Documentation
does not list the tls flag: must_staple.

Why not?

How do I force must_staple without it?

must_staple is currently only available via JSON config.

FWIW, we generally discourage the use of must-staple unless you have a very specific reason for it / threat model that requires it.

Why though? It solves the revocation problem.

Unfortunately, not so. “The” revocation problem is actually many problems – and Must-Staple doesn’t solve them. It would solve problems if revocation actually worked, but revocation as a whole is broken. Although Caddy’s OCSP implementation is the best available in the industry for supporting Must-Staple, you still risk bricking your site for a time with factors that are out of your control. That’s why Must-Staple should only be used if you have a very specific reason / threat model that requires it. The only good solution to “the” revocation problem is shorter certificate lifetimes.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.