Re: Sanctions short of distrust

Tue, 06 Sep 2016 07:15:41 -0700 

On 06/09/2016 15:37, Kurt Roeckx wrote:

On 2016-09-06 14:16, Jakob Bohm wrote:

On 06/09/2016 10:25, Kurt Roeckx wrote:

If you think there is something we can do in OpenSSL to improve this,
please let us know.


Here are a list of software where I have personally observed bad OCSP
stapling support:

OpenSSL 1.0.x itself: There are hooks to provide stapled leaf OCSP
responses in sessions, but no meaningful sample code to do this right
(e.g. caching, error handling etc.)  I am working on my own add-on code
for this, but it is not complete and not deployed.


As far as I know the functions for that are:
https://www.openssl.org/docs/manmaster/ssl/SSL_set_tlsext_status_type.html


  There is no builtin support for multistapling and no clear
documentation on how to add arbitrary TLS extensions (such as this) to
an OpenSSL application.


SSL_CTX_add_server_custom_ext() was added in 1.0.2, see
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_add_server_custom_ext.html



Neither of those calls (which I know) provide the lacking
functionality. Specifically, the _tlsext_ OCSP calls require each
server to design and build its own OCSP response acquisition and
caching code.  While the _server_custom_ functions seemingly lack the
functionality to implement multistapling, at least as I read them.



PS: I just found: https://istlsfastyet.com/

This is probably also getting a little off topic.



But yes, the details of OpenSSL are off-topic in this newsgroup, this
was merely two entries in a long list of HTTPS server implementations
that cannot be easily configured to send the OCSP stapling responses
that some other posters suggested would be an appropriate workaround
for half-bad CAs.

The point of the list was simply to explain why requiring OCSP stapling
would not work on the current Internet.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy























					Reply via email to