forwarding your response to the list ... Date: Tue, 6 Nov 2012 17:38:06 +0100 Subject: Re: SSL OCSP Stapling From: [email protected] To: [email protected]
I would say the periodic-request aspect of it is pretty trivial; you add a timer to the event loop that expires in some configurable amount of time, e.g. a bit before the last OCSP response expires, and you cache the result until it expires or a more recent result overwrites it. Given that the overhead of making a single OCSP request for the cert inside HAProxy is very low, you can easily do this every few minutes with no perceivable overhead. Obviously some logic re: failing requests and retrying has to be implemented, which amounts to nothing more than a formulation for how much time to wait until retrying again. The user should also be able to configure whether to deliver an expired OCSP response or none at all in the case that an upstream OCSP response cannot be received by the time the currently cached response expires. A single timer and single cache slot are used for each certificate chain. The timer is reset with a new value when:- a request fails; in this case we need to use our retry/backoff algorithm to decide how long to wait before retrying; - a request succeeds; in this case we need to use our expires algorithm, which can be parameterized over the expiration time of the OCSP response, to decide how long to wait before trying to get a fresh response. One thing to keep in mind is that OCSP stapling in many libraries has (or had, at one point) buggy or nonexistent support for OCSP payloads containing multiple certificates, and a bit of research should be done prior to implementation to discover the current state of the world in this regard. I believe the official word at one point was that OCSP stapling of chains should be accomplished by including the entire chain in the OCSP request, delivering that compound OCSP response via the TLS Certificate Status Request extension. k On Tue, Nov 6, 2012 at 4:57 PM, Lukas Tribus <[email protected]> wrote: Don't know if it helps without some knowledge of the nginx source code, but here [1] you can find the patches applied to nginx to introduce ocsp support. Its doesn't seem to be trivial to implement though, because you also need to run (at regular intervals) an OCSP query towards the CA's OCSP server... [1] http://nginx.org/patches/ocsp-stapling/ ---------------------------------------- > Date: Wed, 31 Oct 2012 22:52:55 +0100 > From: [email protected] > To: [email protected] > CC: [email protected]; [email protected] > Subject: Re: SSL OCSP Stapling > > On Tue, Oct 30, 2012 at 03:26:21PM +0100, Baptiste wrote: > > Hi, > > > > I discussed about it a few weeks ago with @emericbr @exceliance, but > > he was a bit doubtful about it. > > As far as I'm concerned, I think this would be a nice new feature. > > > > so let's wait for Willy's response. > > well, after having checked the RFC on this, I must confess that what it > provides and the way it's supposed to work are still cryptic to me :-/ > > If someone could explain in a simple way (assuming that something in TLS > can be explained that way), and provide some real world use case, it would > be nice. > > Regards, > Willy > >
