fix: remove checks related to ocsp

sesh · sesh · commit 611b1e368bfd · 2025-06-24T09:30:14.000+10:00
diff --git a/ready/checks/ssl.py b/ready/checks/ssl.py
@@ -216,67 +216,3 @@ def check_dns_caa_record_should_include_validationmethods(responses, **kwargs):
         warn_on_fail=True,
         **kwargs,
     )
-
-
-# Check: SSL certificate must provide OCSP URI
-def check_ssl_certificate_must_include_ocsp_uri(responses, **kwargs):
-    certificate = get_ssl_certificate(kwargs["domain"], ipv6=kwargs["is_ipv6"])
-    if not certificate:
-        ocsp = None
-    else:
-        ocsp = certificate.get("OCSP", None)
-
-    return result(
-        ocsp and all([("https://" in r or "http://" in r) for r in ocsp]),
-        f"SSL certificate must provide OCSP URI ({ocsp})",
-        "ssl_provide_ocsp_uri",
-        **kwargs,
-    )
-
-
-# Check: SSL certificate should provide OCSP must-staple
-def check_ssl_certificate_should_provide_ocsp_must_staple(responses, **kwargs):
-    try:
-        from cryptography import x509
-    except ImportError:
-        return result(
-            False,
-            f"SSL certificate should provide OCSP must-staple (cryptography not installed)",
-            "ssl_ocsp_must_staple",
-            warn_on_fail=True,
-            **kwargs,
-        )
-
-    certificate = get_ssl_certificate(kwargs["domain"], ipv6=kwargs["is_ipv6"], binary=True)
-    if not certificate:
-        return result(
-            False,
-            f"SSL certificate should provide OCSP must-staple (failed to load certificate)",
-            "ssl_ocsp_must_staple",
-            **kwargs,
-        )
-
-    loaded = x509.load_der_x509_certificate(certificate)
-
-    has_must_staple_extension = False
-    msg = "missing extension"
-
-    lifetime_days = (loaded.not_valid_after - loaded.not_valid_before).days
-    if lifetime_days < 10:
-        has_must_staple_exension = True
-        msg = "certificate is short-lived; missing extension"
-
-    else:
-        for extension in loaded.extensions:
-            # see https://github.com/sesh/ready/issues/15 for details
-            if extension.oid.dotted_string == "1.3.6.1.5.5.7.1.24":
-                has_must_staple_extension = True
-                msg = "includes extension"
-
-    return result(
-        has_must_staple_extension,
-        f"Long-lived SSL certificate should provide OCSP must-staple ({msg})",
-        "ssl_ocsp_must_staple",
-        warn_on_fail=True,
-        **kwargs,
-    )
diff --git a/ready/ready.py b/ready/ready.py
@@ -91,8 +91,6 @@
     check_ssl_connection_fails_with_tls_1_1,
     check_ssl_expiry_should_be_greater_than_five_days,
     check_ssl_expiry_should_be_less_than_one_year,
-    check_ssl_certificate_must_include_ocsp_uri,
-    check_ssl_certificate_should_provide_ocsp_must_staple,
 )
 from ready.checks.status import check_http_response_should_be_200
 from ready.checks.swagger import check_swagger_should_not_return_200
@@ -303,8 +301,6 @@ def ready(
             check_ssl_certificate_should_be_trusted,
             check_ssl_connection_fails_with_tls_1_1,
             check_ssl_connection_fails_with_tls_1_0,
-            check_ssl_certificate_must_include_ocsp_uri,
-            check_ssl_certificate_should_provide_ocsp_must_staple,
             check_dns_caa_record_should_exist,
             check_dns_caa_record_should_include_accounturi,
             check_dns_caa_record_should_include_validationmethods,
