[mod_gnutls-devel] Support for OCSP stapling?
Benny Baumann
BenBE at geshi.org
Tue Jan 21 17:48:29 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Daniel,
Am 21.01.2014 01:48, schrieb Daniel Kahn Gillmor:
> On 01/13/2014 03:52 AM, Benny Baumann wrote:
>
>> Are there plans to implement OCSP stapling in mod_gnutls?
>
> I have no immediate plans for OCSP stapling in mod_gnutls (i'm still
> trying to carve out time for a proper release with some of the newer
> authentication features), but would be happy to see it added.
At least latest trunk works nicely for me; given I fetched the proper
repository ;-) (Last commit is quite a while ago, thus I'm wondering).
> For those searching for it in the codebase, OCSP stapling is known
> formally as an OCSP status request. see:
>
> https://tools.ietf.org/html/rfc6066#section-8
Okay, good starting point for research ;-)
>> What are the places that need to be looked into to do the necessary setup?
>
> Modern versions of the GnuTLS library (since 3.1, i think) already have
> OCSP functionality, so we'd just need to hook into that in mod_gnutls.
I presumed something like that.
> The simplest minimal approach would be to add a configuration parameter
> to indicate the file to read the OCSP response from using:
>
> gnutls_certificate_set_ocsp_status_request_file()
Will look into it; especially in the case of VHosts and multiple
certs/cert chains.
> and then rely on the server operator to update that file regularly with
> something like this (e.g. from cron or a systemd timer file):
>
> ocsptool --ask --load-cert server_cert.pem --load-issuer the_issuer.pem
> --load-signer the_issuer.pem --outfile ocsp.response
Not a nice solution IMHO, but doable. I'd prefer an "automatic fetch"
though which would fetch the OCSP response from the OCSP server every
now and then.
>
>
> This is probably somewhat inefficient on high-traffic servers, but it
> would provide a functioning implementation, and a more complex
> in-process caching/re-fetching architecture could be built later.
>
> Would this baseline implementation be useful for you?
I think that might work for a baseline implementation. Can't tell
anything about when I might get around for it though. I'll send patches
if I have something working; otherwise assume no work done yet on this
topic.
> --dkg
Regards,
BenBE.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iQIcBAEBAgAGBQJS3qTcAAoJEPHTXLno4S6t6uoP+gL3SNiTT6v2QwXDzhnziFNo
QyG7IXgxCtj8Yv3vHNRFuPSH/aIqKssOditmBVx9c/HGp4i0fDDatCg7MqAQs7C0
yngktiCouUORMnpeSIjSlmhSYoeespsDuZQbJlpo/jAVmDKx00Yoxz6CPJR3r5Fe
bMnLD6ZhVw4vussqZInKBVcSpvdUMcg6ejmk4pfTrDprUIam6ypk5be6oDAj0FHm
7sRwbXif0iL3aq4AAhuvqVJz9uTt1FbRz9tAk8gu5I2ZIvvhzG8QmVVBp6ebwLlM
YRtJ5Z39Zs2PPnmDqB3XL2lwsEvuwqvBZsCUUKwKJ01DgHa+kIgHpta4oJvw1Aaa
/ghYSiu6NRkTh77nlHEW0JwvnDSgq4xC9axTLZqBP5rQhOmTTk6TEmoO+LHBG32F
eg/xwF2gz7SGsBkkDdPV9jHDzyv6tfaRFoIoiLZQzt8RKGxIkPKdcNKksnMGlYTu
SnqS4c9G54bTlJblbWLJKjL0y/d9B926DB7qlBMFjOwPNx2k+nDVDDjHDyroi0A6
PNVQU9Vwd102FCcHVlDEYqlMmHAqMBFMGjkIaFQYMKyt8XmDsqu/yFGReTUayXKV
yAr6DSpXJ04z77RHJUAWv5kwbhTjD15NSgtY2iuYuSSXSWxTzlhR2nNQe6EPKzpe
H6Uz2LGU1725U5sMB+sz
=iP3Q
-----END PGP SIGNATURE-----
More information about the mod_gnutls-devel
mailing list