CA/Browser Forum declared OCSP as optional about caddy HOT 4 CLOSED

It makes no sense to turn it off by default. OCSP stapling is a huge benefit to users and server operators. It means browsers don't need to hit the responders (saving a lot of traffic globally), it means the server can check periodically for revocation (which is not unheard of if a CA has a bug, mass revocation events happen).

The only time it makes sense to turn off is if your server isn't able to reach OCSP responders anyway, due to network conditions. But that's rare.

from caddy.

Caddy is neither a web browser nor a CA; the CAB forum rules do not apply to web servers. The new rule simply changes the requirements regarding OCSP for CAs to be trusted by web browsers, this has no affect on web servers.

Most CAs are still operating OCSP responders. Disabling OCSP stapling puts Web security at a disadvantage this point. OCSP stapling is a privacy enhancement and traffic reducer. Caddy will not be disabling it by default.

Any errors encountered during OCSP stapling, however, are not treated as fatal/blockers, they are logged, but not as errors.

I don't think there's anything actionable for us to do at this time, so I'll close this issue.

from caddy.

Ok but then please improve the cli output. Currently it shows up as an error but it should be more just an information.

Google, Mozilla, etc. won't use OCSP in the future so it won't be the "huge benefit" you describe.
(You can see within the ballot that Google, Mozilla and Apple voted for the change, not against it.)

from caddy.

What error?

from caddy.