Hi Kyle, We would have surely done that if the implementation is from scratch. But currently we are just trying to add a small enhancement to the existing functionality...:)
Thanks for your help. Regards Vijay -----Original Message----- From: Kyle Hamilton [mailto:aerow...@gmail.com] Sent: Wednesday, April 15, 2009 2:40 AM To: Vijay Kothamasu (vikotham) Cc: openssl-users@openssl.org; Kamalakanta Palei (kpalei); Jagadish Mynampati (jmynampa); Uma Sankar Panda (upanda) Subject: Re: Query on OpenSSL for Certificate verification I'd be happy to, if you engage me as a contractor. -Kyle H On Tue, Apr 14, 2009 at 12:26 PM, Vijay Kothamasu (vikotham) <vikot...@cisco.com> wrote: > Hi Kyle, > > Thanks for your valuable inputs, find my response inline. > > > Then don't return from the original SSL_CTX_set_verify callback until > you > either: > a) receive a valid OCSP response that says it's okay, > b) receive a valid OCSP response that says it's not okay, > c) receive an invalid OCSP response (i.e., OCSP failure), or > d) time out. > [Vijay] Blocking in the callback function is not feasible as our > product operates in a single thread model for what so ever reason may > be. If we block in the callback function there will be huge number of > other events which will not be processed till we return from this > function which is really costly for our kind of scenario. > > You're perilously close to a "chicken and egg" problem here: > > 1) You need the certificate to check > 2) you cannot get the certificate to check until you attempt to make > the connection > 3) once you connect, you are stuck in a state machine where you > haven't checked the certificate. > [Vijay] You are very correct > > Some browsers try to handle this kind of situation by scanning HTML > for links and pre-loading them to the cache. These tend not to work > all that well. > > If you're returning asynchronously, then you also need to have a > mechanism to send asynchronous exceptions. > [Vijay] Could you please provide more details on this method? What > these exceptions? How to report the status through these exceptions > asynchronously? Please provide us a sample program and documentation > regarding the exceptions. Also do you fore see any issues with this > kind of approach? > > Either that, or you have to make it synchronous until the OCSP > response is returned. > [Vijay] I discussed with our team, Synchronous method is not feasible. > > Thanks again for your help. > > Regards > Vijay > > -----Original Message----- > From: Kyle Hamilton [mailto:aerow...@gmail.com] > Sent: Tuesday, April 14, 2009 7:57 AM > To: Vijay Kothamasu (vikotham) > Cc: openssl-users@openssl.org; Kamalakanta Palei (kpalei); Jagadish > Mynampati (jmynampa); Uma Sankar Panda (upanda) > Subject: Re: Query on OpenSSL for Certificate verification > > Then don't return from the original SSL_CTX_set_verify callback until > you > either: > a) receive a valid OCSP response that says it's okay, > b) receive a valid OCSP response that says it's not okay, > c) receive an invalid OCSP response (i.e., OCSP failure), or > d) time out. > > You're perilously close to a "chicken and egg" problem here: > > 1) You need the certificate to check > 2) you cannot get the certificate to check until you attempt to make > the connection > 3) once you connect, you are stuck in a state machine where you > haven't checked the certificate. > > Some browsers try to handle this kind of situation by scanning HTML > for links and pre-loading them to the cache. These tend not to work > all that well. > > If you're returning asynchronously, then you also need to have a > mechanism to send asynchronous exceptions. Either that, or you have > to make it synchronous until the OCSP response is returned. > > -Kyle H > > On Mon, Apr 13, 2009 at 2:35 PM, Vijay Kothamasu (vikotham) > <vikot...@cisco.com> wrote: >> Hi Kyle, >> >> Sorry for the delayed response, I am just back form my Vacation. >> >> Thank you so much for your response and the information provided. >> >> But even with the SSL_CTX_set_verify() callback invocation, the >> result of the certificate validation need to be returned in the >> context of the callback function itself in a synchronous manner. >> Where as in our scenario, the cert validation status is reported back >> in an Asynchronous manner as I explained earlier. > >> >> I am just wondering how can I realize that scenario. >> >> Thanks again. >> >> Regards >> Vijay >> >> >> >> >> >> -----Original Message----- >> From: Kyle Hamilton [mailto:aerow...@gmail.com] >> Sent: Tuesday, April 07, 2009 12:26 PM >> To: openssl-users@openssl.org >> Cc: Kamalakanta Palei (kpalei); kvi...@gmail.com; Vijay Kothamasu >> (vikotham) >> Subject: Re: Query on OpenSSL for Certificate verification >> >> This is a protocol called OCSP, with its "designated responder" mechanism. >> >> If you want to implement it, call the OCSP functions with the DR >> address and the fields that OCSP needs during the >> SSL_CTX_set_verify() callback invocation; if you really need to, >> create two separate SSL_CTX contexts, one of which calls a function >> to check the certificate status, the other of which always passes (so >> that the DR certificate doesn't need to be in the client's local store). > >> >> Note that I consider this insecure. First, the denial of service >> potential (the DR goes down). Second, man-in-the-middle or >> redirection attacks (the DR is replaced by a bogus one). Third, the >> entire point of >> X.509 is to allow for clients to have all the information they need >> to verify certificates in the absence of an online authority. > >> >> For more information I suggest you read the cryptographic literature >> for the protocols that exist. >> >> -Kyle H >> >> On Mon, Apr 6, 2009 at 8:18 AM, Vijay Kothamasu (vikotham) >> <vikot...@cisco.com> wrote: >>> Hi, >>> >>> I am just wondering if there is a way to realize the following >>> scenario with the help of OpenSSL libraries, here is the brief >>> explanation in this regard. >>> >>> --------------------------------- >>> I have a client and Server who need to setup a secure connection >>> using TLS/SSL. But as part of handshake Server sends its certificate >>> to the Client. But Client doesn't have any certificates with it to >>> Authenticate the certificate, rather it needs to communicate (a >>> non-blocking call )with another entity(like Certificate Authority >>> (CA) >>> ) to get the certificate validated. This CA will look through its >>> list of certificates to authenticate the it and inform back to the >>> Client in an Asynchronous manner(may be some callback) that the >>> certificate is valid. Now the Client will proceed further with the >>> Server to complete the Handshake and setup the connection. >>> >>> Here is a pictorial description of this scenario for better clarity >>> >>> >>> --------------------------------- >>> >>> I went through the available documentation, to the best of my >>> understanding I couldn't find the library APIs(SSL/BIO/X509) to >>> realize the above scenario. >>> >>> Is there any way to fit in the above verification setup as part of >>> the handshake? It will be of great help if anybody can provide me >>> the pointers in this regard. >>> >>> Thanks for your help in advance. >>> >>> Regards >>> Vijay >> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
