Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,931 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 54%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMF%3C/text%3E%3C/svg%3E)
Any updates on this?
Server Lacks OCSP Stapling
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 37%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
raymond
1
Reputation point
Export Target
https://login.microsoftonline.com/
Description
The affected servers do not return their SSL certificate's revocation status information via OCSP Stapling.
OCSP stapling is a feature that can be enabled in most web servers to provide clients (such as browsers or mobile Apps) connecting to the server over HTTPS with the information needed to ensure that the certificate has not been revoked. Certificates can be revoked for a variety of reasons, including the compromise of the SSL key or when a certificate was mistakenly issued. Giving HTTPS clients the ability to check for revocation can mitigate the impact of invalid or compromised certificates, in specific attack scenarios.
Additionally, Apple has mentioned OCSP Stapling as a security mechanism that should now be deployed on mobile endpoints, in the "Your Apps and Evolving Network Security Standards" session of the WWDC 2017 conference and the "What is New in Security" session of the WWDC 2016 conference:
"OCSP Stapling is a standard that has been out for a couple of years, but we think that now is the time for folks to actually move to it and start adopting it because support for it is now quite widespread."
This could imply that OCSP Stapling will eventually become a requirement for iOS Apps to be accepted on the App Store.
Recommendation
Update the affected mobile endpoints’ configuration to enable support for OCSP Stapling. Most modern web servers including Apache and nginx support stapling.
Azure App Service
{count} votes
-
brtrach-MSFT 17,731 Reputation points Microsoft Employee Moderator2021-02-06T22:38:49.13+00:00 @raymond , can you please verify what Azure services you are using?
Azure Web Apps, which is the product tag you used, supports OCSP stapling. I double checked by testing my Azure issued SSL cert that is bound to my Azure Web App in ssllabs and it verified that OCSP stapling was supported.
We look forward to receiving more information on the services that you are using.
-
raymond 1 Reputation point
2021-02-22T07:41:17.48+00:00 Hi @brtrach-MSFT , thanks for your reply.
We are using Intune SDK which depends on ADAL to authenticate with Azure, is that same as Azure Web Apps?
Sign in to comment