We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

View Complete Thread
  • Enabling OCSP stapling on IIS SNI-enabled site

    Sep 02, 2016 11:07 PM|franzom|LINK

    If Require Server Name Indication is checked on the binding of an IIS site, OCSP stapling is disabled for the site.

    This is easily confirmed by enabling SNI for a site that currently doesn't require it, and checking using https://www.ssllabs.com/ssltest/ or openssl:

    openssl s_client -connect foobar.com:443 -servername foobar.com -tls1 -tlsextdebug -status

    Does anyone have a workaround for this so that clients of SNI-enabled sites can enjoy the benefits of OCSP stapling?