On 2016-09-06 14:16, Jakob Bohm wrote:
On 06/09/2016 10:25, Kurt Roeckx wrote:
If you think there is something we can do in OpenSSL to improve this,
please let us know.
Here are a list of software where I have personally observed bad OCSP
stapling support:
OpenSSL 1.0.x itself: There are hooks to provide stapled leaf OCSP
responses in sessions, but no meaningful sample code to do this right
(e.g. caching, error handling etc.) I am working on my own add-on code
for this, but it is not complete and not deployed.
As far as I know the functions for that are:
https://www.openssl.org/docs/manmaster/ssl/SSL_set_tlsext_status_type.html
There is no builtin support for multistapling and no clear
documentation on how to add arbitrary TLS extensions (such as this) to
an OpenSSL application.
SSL_CTX_add_server_custom_ext() was added in 1.0.2, see
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_add_server_custom_ext.html
PS: I just found: https://istlsfastyet.com/
This is probably also getting a little off topic.
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
