Re: mod_ssl OCSP questions

[Dr Stephen Henson]

Joe Orton wrote:
 Many thanks for the detailed response!  Everything taken on board, with 
 one further question:
 
 On Thu, Nov 29, 2007 at 09:35:40PM +, Dr Stephen Henson wrote:
 ...
 OpenSSL supports #1 and #2 directly so these should be automatic if the
 OpenSSL OCSP API has been used correctly.

 A limited form of #3 is implemented in OpenSSL. A generalised version
 might be more appropriate in some circumstances but would need
 additional configuration options to implement.
 
 Making the responder signature verification configurable in mod_ssl 
 would just involve setting up a different set of trusted certs in an 
 X509_STORE_CTX and passing that as the context parameter to 
 OCSP_basic_verify(), right?  (When you say OpenSSL supports..., I 
 wonder if there is something more subtle here)
 

There isn't any need to have a separate store really. A set of root CAs
for different purposes can share a common store with each one given an
appropriate set of trust settings. These can be edited using the OpenSSL
'x509' utility.

The idea here for example is that a root CA can be labeled as trusted
for client authentication or server authentication only.

To retain compatibility with root CAs without trust settings most are on
by default.

OCSP signing is an exception which is off by default.

When a root has OCSP signing trust enabled any chain leading to it can
be used to sign arbitrary OCSP requests. This is a specific case of #3
where a special chain is used as a global responder which is trusted
to give status information about any CA.

There's some more info about this at:

http://www.openssl.org/docs/apps/ocsp.html#OCSP_Response_verification_

In some cases that is too wide and restrictions on the set of CAs a
given chain can authorise is more appropriate.

We could in future extend the OpenSSL trust settings to authorise chains
only for specific CAs (e.g. by OCSP IDs). That would probably make the
need for separate per-CA configuration options in mod_ssl unnecessary.

Steve.
-- 
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.

Re: randomized request for apache benchmark

[Guy Ferraiolo]

I have a patch that provides this functionality to flood and will be
submitting it to this list, hopefully in a day or so.

Guy

On Thu, 2007-11-29 at 21:45 -0600, William A. Rowe, Jr. wrote:
 kaby wrote:
  For the primarily web application is no longer static.
  Considering factors like cache, instruction prediction, I suppose randomized
  request is need to avoid possible bias in benchmark.
  So I wanna proposal a patch for this. Any suggestion?
 
 ab.c isn't the place for such work, and you are absolutely right
 (modern architectures are incredibly good at doing stupidly repetitive
 tasks efficiently, and this doesn't mirror the real world).
 
 Would you take a look at
 
http://svn.apache.org/repos/asf/httpd/test/trunk/flood/
 
 which is already moving in the direction of flexibility you seek, and
 is actively soliciting new ideas and patches?
 
 Bill
-- 
Guy Ferraiolo   mailto:[EMAIL PROTECTED]
Performance Measurement  Analysis  http://CNET.com
CNETtel: 1.908.541.3739
1200 Route 22 East  fax: 1.908.575.7474
Bridgewater, NJ 08807   cel: 1.732.618.0250

Re: mod_ssl OCSP questions

[Joe Orton]

Many thanks for the detailed response!  Everything taken on board, with 
one further question:

On Thu, Nov 29, 2007 at 09:35:40PM +, Dr Stephen Henson wrote:
...
 OpenSSL supports #1 and #2 directly so these should be automatic if the
 OpenSSL OCSP API has been used correctly.
 
 A limited form of #3 is implemented in OpenSSL. A generalised version
 might be more appropriate in some circumstances but would need
 additional configuration options to implement.

Making the responder signature verification configurable in mod_ssl 
would just involve setting up a different set of trusted certs in an 
X509_STORE_CTX and passing that as the context parameter to 
OCSP_basic_verify(), right?  (When you say OpenSSL supports..., I 
wonder if there is something more subtle here)

joe

Re: mod_ssl OCSP questions

[Joe Orton]

On Fri, Nov 30, 2007 at 10:34:28AM +0100, Marc Stern wrote:
 To be generic, we should be able to set some options based on the cert CA, 
 because we could use several types of certs (like when dealing with 
 national certs from European countries).

Having security policy decided based on a *regex match* against a 
textual representation of the issuer DN sounds pretty scary to me!

So the config options that are needed currently seem to be something 
like this:

  # select whether to validate the whole chain or just the EE cert
  SSLOCSPValidateWholeChain flag
  # set maximum time skew and age for response validity period
  SSLOCSPResponseWindow skew-secs max-age-secs
  # set CA certs for response signature verification
  SSLOCSPResponseCAFile file
  SSLOCSPResponseCAPath directory

These (and existing config options) could conceivably be wrapped into 
issuer-CA-specific containers in the configuration, like:

   SSLOCSPValidationPolicy issuer-cert-file
  SSLOCSPFoo on
   /SSLOCSPValidationPolicy

which does some magic to allow selection of policy based on matching the 
EE's issuer DN against the DNs of the certs in the issuer-cert-file; but 
that's all blue sky stuff.

joe

Re: how to append to strings...

[Sam Carleton]

On 11/30/07, Arturo 'Buanzo' Busleiman [EMAIL PROTECTED] wrote:

 I don't quite like the bucket brigades stuff (at least for input
 filters), but it's good enough.


I am open to other ideas...

All I am trying to do is read in the text element from some XML via
expat.  The expat parser can break up text elements into multiple
pieces; I am simply looking for the best way to build the string.  The
text is simply a relative path that normally is going to be less then
260 bytes.  What approach would you take to build this string?

Sam

Re: how to append to strings...

[Arturo 'Buanzo' Busleiman]

On 11/30/07, Sam Carleton [EMAIL PROTECTED] wrote:
 That is exactly what I was think about!  I read the article and read
 through the apr_buckets.h and am still seeking more info.  Does anyone
 know if any of the existing modules use a simply bucket system to
 build a string as an example for me?

I'd recommend that you take my learning approach: Get the Apache
source, get into the modules directory, then READ CODE! :). You'll
find lot sof useful stuff there.

Also, you should take a look at Nick Kew's book.

I don't quite like the bucket brigades stuff (at least for input
filters), but it's good enough.

Re: how to append to strings...

[Sam Carleton]

On Nov 30, 2007 5:25 AM, Arturo 'Buanzo' Busleiman [EMAIL PROTECTED] wrote:

 You might be talking about bucket brigades. You can create a brigade, 
 transform
 each string into a bucket, then insert/append after/before another reference 
 bucket,
 etc.

 This will give you an idea:

 http://www.onlamp.com/pub/a/apache/2001/09/20/apache_2.html

That is exactly what I was think about!  I read the article and read
through the apr_buckets.h and am still seeking more info.  Does anyone
know if any of the existing modules use a simply bucket system to
build a string as an example for me?

Sam

Re: how to append to strings...

[Arturo 'Buanzo' Busleiman]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Sam Carleton wrote:
 The question is:  What is the correct way to append all the pieces of
 XML that I am going to get from expat into one string?  I recall
 reading somewhere that Apache has a really slick way of being able to

You might be talking about bucket brigades. You can create a brigade, transform 
each string into a
bucket, then insert/append after/before another reference bucket, etc.

This will give you an idea:

http://www.onlamp.com/pub/a/apache/2001/09/20/apache_2.html

- --
Arturo Buanzo Busleiman - Consultor Independiente en Seguridad Informatica
Apoye la Musica Libre - Vote Futurabanda desde: (ver sgte. linea)
http://www.frecuenciazero.com.ar/realityrock/votar.htm
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHT+UWAlpOsGhXcE0RCt3RAJ9dd3L7qo36/65992vIir1Zpu5B2QCdF+UQ
VcQupGhhwPcY+izbYtixdyk=
=K32m
-END PGP SIGNATURE-

Re: mod_ssl OCSP questions

[Dr Stephen Henson]

Marc Stern wrote:
 
 c) Steve mentioned some responders don't accept requests with
 nonces.  What is a sane default?  Send nonces (more secure), or not
 (better interop).  From reading the RFC it looks like mod_ssl should
 also be checking the validity times from the OCSP response, which
 would help, I guess
 I'll check how we are using the API. There are some OCSP helper
 functions in OpenSSL which check the appropriate times and allow a
 configurable skew for cases where clocks are inaccurately set. How
 much skew to allow in practice may again depend on local policy.
   
 I agree.
 If using a nonce, there is no need to check the date. If not, you have
 to specify the time delta to accept
 

Although a nonce supporting responder avoids replay attacks I'd say we
always need to check the date in case a responder fault result in it
producing status information with an invalid date.

I've seen real world examples where stale information was being returned
by a responder.

Steve.
-- 
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.