[mod_gnutls-devel] Support for OCSP stapling?
BenBE at geshi.org
Tue Jan 21 17:48:29 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
Am 21.01.2014 01:48, schrieb Daniel Kahn Gillmor:
> On 01/13/2014 03:52 AM, Benny Baumann wrote:
>> Are there plans to implement OCSP stapling in mod_gnutls?
> I have no immediate plans for OCSP stapling in mod_gnutls (i'm still
> trying to carve out time for a proper release with some of the newer
> authentication features), but would be happy to see it added.
At least latest trunk works nicely for me; given I fetched the proper
repository ;-) (Last commit is quite a while ago, thus I'm wondering).
> For those searching for it in the codebase, OCSP stapling is known
> formally as an OCSP status request. see:
Okay, good starting point for research ;-)
>> What are the places that need to be looked into to do the necessary setup?
> Modern versions of the GnuTLS library (since 3.1, i think) already have
> OCSP functionality, so we'd just need to hook into that in mod_gnutls.
I presumed something like that.
> The simplest minimal approach would be to add a configuration parameter
> to indicate the file to read the OCSP response from using:
Will look into it; especially in the case of VHosts and multiple
> and then rely on the server operator to update that file regularly with
> something like this (e.g. from cron or a systemd timer file):
> ocsptool --ask --load-cert server_cert.pem --load-issuer the_issuer.pem
> --load-signer the_issuer.pem --outfile ocsp.response
Not a nice solution IMHO, but doable. I'd prefer an "automatic fetch"
though which would fetch the OCSP response from the OCSP server every
now and then.
> This is probably somewhat inefficient on high-traffic servers, but it
> would provide a functioning implementation, and a more complex
> in-process caching/re-fetching architecture could be built later.
> Would this baseline implementation be useful for you?
I think that might work for a baseline implementation. Can't tell
anything about when I might get around for it though. I'll send patches
if I have something working; otherwise assume no work done yet on this
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the mod_gnutls-devel