[mod_gnutls-devel] Initial development for OCSP support

[Benny Baumann]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi guys,

I found (and fixed locally) one issue regarding OCSP response validation
that could be used to supply us with stale responses if they were still
valid. The fix I implemented locally ensures that the response we accept
into the cache ALWAYS holds the same nonce as we just requested from the
server.

The fix will be pushed to GitHub later today.

This check IS missing in the OCSP client sample of the GnuTLS
documentation as it is absolutely NO magic to do but avoids realworld
attacks on implementations based on that sample.

Regards,
BenBE.

P.S.: @dkg: Could you forward this request to the GnuTLS people? TIA.

Am 17.02.2014 08:44, schrieb Benny Baumann:
> Hi guys,
>
> as some of you might have noticed in the IRC channel I did some work on
> implementing basic OCSP support in mod_gnutls the last few days and
> after some trouble I have the first working patches for it.
>
> The patches are currently highly experimental as they eat memory,
> kittens and your mom. DO NOT MERGE upstream. I'll do a rework of the
> series once all the major issues have been resolved which will have much
> cleaner patches than the current proof of concept.
>
> But anyways it would be nice if you could review and test the current
> status of the patches which can be found in my Github Repo[1] or checked
> out from [2] on branch stapling.
>
> Please send me your feedback, comments, improvements. Patches in Git
> Format preferred.
>
> Short note on how to activate the new functions:
> 1. Setup normal VHost with mod_gnutls as usual
> 2. Set GnuTLSUseStapling on
> 3. Make sure your certificate file contains at least your leaf (end user
> certificate) as well as its issuer (in this order).
>
> Debug output is logged to error.log on level debug as well as some more
> critical messages as warnings.
>
> Looking forward hearing from you,
> BenBE.
>
> [1] https://github.com/BenBE/mod_gnutls/tree/stapling
> [2] https://github.com/BenBE/mod_gnutls.git
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBCgAGBQJTAyJ/AAoJEPHTXLno4S6tADsQAMawqdB49JdEW4kP5ABQ3Ws7
SCZ/0WoB8qZWHJiKCpc1PQhjNFI3sscr5AaSb7Xk1O94pbzgqC+nw2/owTEzNvsw
Mv5YqJHITyOP7z2zXl5dtWFwMY0rr976QKEsSlbOU6QQ7+UUKdubOAY8LwDleWX8
QLf6Bg423nKReir3HmoPNarLHiciQwQ+PlVuZSz8W2kHfUDIZM+8fOSh1IMkc/7E
Mc+cYgFfEIs32+t19khrM4/2eNYiDpsaIT/pujzjT4usEVXhdmnvvMBN8UeByvwE
owg2pebeov4ie0/JDvdubbEm3E1SKwIPCybhfUipgrYwxo55Q92KxsHqyWESjdI3
BjfbufZRDXz2Nr12F0qGwFlu0EDOStEJWLWVoy4jb5rm3rFBzLrraqmX0D/FK44w
hozIbNLQ9vmiA94f2+/H7GuqU26JZXDijdqxhShYyLvIufYZBccFutkOJQKpabU5
v6r2I8myT/W6Nwes+Z5kPvgJOGuyw9COzLaSsDOIK+qUD6tiPajf4UUR1x0nvFnd
OsiV9Lc4WrWCUfo+sxj/NbBUSC2ww3j0dVMiCUD4/1q2B1s+IthBRZ6+i/dQCYi7
4eGnQ8+qIyzSmZ2ln5R7KP0yhfLhndIhGLAmdo04Tl7JA0jCHuPYWIdRgh6f0O80
hdN3iIGmAMa/rOn5Jcpy
=MqyM
-----END PGP SIGNATURE-----