[mod_gnutls-devel] Support for OCSP stapling?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Jan 21 01:48:31 CET 2014
On 01/13/2014 03:52 AM, Benny Baumann wrote:
> Are there plans to implement OCSP stapling in mod_gnutls?
I have no immediate plans for OCSP stapling in mod_gnutls (i'm still
trying to carve out time for a proper release with some of the newer
authentication features), but would be happy to see it added.
For those searching for it in the codebase, OCSP stapling is known
formally as an OCSP status request. see:
https://tools.ietf.org/html/rfc6066#section-8
> What are the places that need to be looked into to do the necessary setup?
Modern versions of the GnuTLS library (since 3.1, i think) already have
OCSP functionality, so we'd just need to hook into that in mod_gnutls.
The simplest minimal approach would be to add a configuration parameter
to indicate the file to read the OCSP response from using:
gnutls_certificate_set_ocsp_status_request_file()
and then rely on the server operator to update that file regularly with
something like this (e.g. from cron or a systemd timer file):
ocsptool --ask --load-cert server_cert.pem --load-issuer the_issuer.pem
--load-signer the_issuer.pem --outfile ocsp.response
This is probably somewhat inefficient on high-traffic servers, but it
would provide a functioning implementation, and a more complex
in-process caching/re-fetching architecture could be built later.
Would this baseline implementation be useful for you?
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140120/489c8235/attachment-0001.sig>
More information about the mod_gnutls-devel
mailing list