[gnutls-devel] support of stapled OCSP responses under TLS1.3

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Nov 22 14:03:43 CET 2017 

On Tue, Nov 21, 2017 at 2:17 PM, Stefan Bühler <stbuehler at lighttpd.net> wrote:
>>>>>  I'm going through the support of stapled OCSP responses under TLS1.3.
>>>>> The major change in TLS1.3 is that there can be an OCSP response for
>>>>> each certificate sent, rather than one response for the
>>>>> end-certificate, and such responses can be provided also for the
>>>>> client certificate.
>>>>> Supporting multiple responses when verifying the certificates seems
>>>>> straightforward as we were doing that transparently without the
>>>>> application intervening.
>>>> [...]
>>>>
>>>> Hi,
>>>>  The merge request introducing multiple OCSP staples under TLS1.3 is at:
>>>> https://gitlab.com/gnutls/gnutls/merge_requests/548
>>>>
>>>> It tries hard not to require new APIs by enhancing
>>>> gnutls_certificate_set_ocsp_status_request_file() to parse the
>>>> response file and associate it with a certificate. On the other hand,
>>>> a new callback could not be avoided to retrieve more than one
>>>> responses, hence
>>>> gnutls_certificate_set_ocsp_status_request_function3() is added, as
>>>> well as gnutls_ocsp_status_request_get2() for application to read the
>>>> responses.
>>>
>>> As far as I can see gnutls_certificate_set_ocsp_status_request_function3
>>> provides the necessary interface.
>>>
>>>> I'd appreciate a review on that new functionality if you are already
>>>> familiar with the previous OCSP handling code, or intend to use it.
>>>>
>>>> After a discussion with Hubert Kario, I've also opened [0] which is
>>>> about automating the retrieval of OCSP responses and association with
>>>> server credentials, to reduce complexity from servers. It's currently
>>>> a bit low priority in the tls1.3 plan [1], and up for grabs, but it
>>>> would make an application server's code much simpler.
>>>
>>> A first step to make usage simpler would be to add a function similar to
>>> gnutls_certificate_set_ocsp_status_request_file which accepts a
>>> gnutls_datum_t instead of a filename.
>>
>> Thank you Stefan. If I remember well, my original intention for not
>> bringing that function was that I assumed that OCSP responses are
>> something volatile that will need to be updated now and then. As the
>> credentials structure is supposed to be accessed concurrently, do you
>> imply here having a set data buffer function which protects against
>> concurrent access, or an "unsafe" set function which is expected to be
>> used once, while later the credentials structure is recycled? (i.e.,
>> the server app, creates a new credentials structure for new sessions).
>
> My usecase so far is to simply restart the server after updating OCSP
> (we implemented an "angel" process that keeps the listening socket open,
> and it will wait for the new worker to be up before it stops the old one
> and so on, so restart doesn't cost much).
>
> So an "unsafe" set function is ok for me.
>
> Now that you need multiple files for multiple OCSP responses,
> gnutls_certificate_set_ocsp_status_request_file sounds even worse than
> before; you probably need a cronjob to update the files anyway, so if
> your server can handle a restart (or "reload ssl") well, it would be
> better to to have a "fixed response" interface.
>
> Add to this that if the file update is screwed (e.g. not atomic, or
> somehow fails to match the certificate it matched before), you'll have a
> hard time debugging it - either you won't see the error, or you'll get
> flooded with the same error...

Thank you, you bring some nice points.

>>> And even simpler would be auto-loading these responses from "OCSP
>>> RESPONSE" pem blocks in certificate files (or separate "ocsp" files).
>>> (I made up the term "OCSP RESPONSE"; afaik there is no standard name for
>>> this).
>>
>> Is the use of such a file format something that is being used? As the
>> OCSP response lifetime is much shorter than certificate lifecycle, I'd
>> expect that combo to cause an inconvenience.
>
> I used such file format (right now I'm back to a single file with DER);
> but mod_gnutls in lighttpd2 should support it.
>
> I think now that we might need many OCSP responses it will be easier to
> load multiple responses from one file, so a PEM encoding is useful imho.
>
> I also like having a way to put everything into one file; that way I can
> use a simple key-value lookup interface to load certs dynamically based
> on filenames (the backend could also use stat() for file-based lookup,
> or trigger ACME).
>
> But it would be sufficient if there is a generic
> "load_ocsp_responses_from_pem" which simply ignores other blocks, and
> perhaps makes sure all required responses are present and all responses
> match a loaded certificate.

Thank you Stefan, you brought some nice points. Inspired by them I
generated another MR with different contents. That more aggressively
changes behavior, by caching responses, but at the same time, being
more "safe" in using these responses (e.g., not serving expired
responses).

That builds on top of the previous patch set, and is at:
https://gitlab.com/gnutls/gnutls/merge_requests/551

regards,
Nikos

More information about the Gnutls-devel mailing list