Enabling OCSP Stapling by default (was Re: mod_ssl ssl_util_stapling.c warnings)
On Wednesday 05 Jan 2011 10:03:19 Rob Stradling wrote: On Friday 24 December 2010 16:24:03 Igor Galić wrote: snip If we want to see more extensive testing in the field, then this is the right time to make 'On' the default. Steve, has Igor persuaded you? I was hoping to generate a bit more discussion and to reach consensus on the when question here on-list, but never mind. I've just filed Bug 50740 - Enable OCSP Stapling by default. Rob Stradling Senior Research Development Scientist COMODO - Creating Trust Online
Re: Enabling OCSP Stapling by default (was Re: mod_ssl ssl_util_stapling.c warnings)
On Wednesday 09 Feb 2011 09:39:36 Rob Stradling wrote: On Wednesday 05 Jan 2011 10:03:19 Rob Stradling wrote: On Friday 24 December 2010 16:24:03 Igor Galić wrote: snip If we want to see more extensive testing in the field, then this is the right time to make 'On' the default. Steve, has Igor persuaded you? I was hoping to generate a bit more discussion and to reach consensus on the when question here on-list, but never mind. I've just filed Bug 50740 - Enable OCSP Stapling by default. On a related note, I've also just filed Bug 50742 - Detect when the OpenSSL runtime library is vulnerable to CVE-2011-0014. I think it makes sense to *not* enable OCSP Stapling by default when a vulnerable version of OpenSSL is being used. Rob Stradling Senior Research Development Scientist COMODO - Creating Trust Online
Re: Enabling OCSP Stapling by default (was Re: mod_ssl ssl_util_stapling.c warnings)
On Wed, Feb 09, 2011 at 09:39:36AM +, Rob Stradling wrote: On Wednesday 05 Jan 2011 10:03:19 Rob Stradling wrote: On Friday 24 December 2010 16:24:03 Igor Galić wrote: snip If we want to see more extensive testing in the field, then this is the right time to make 'On' the default. Steve, has Igor persuaded you? I was hoping to generate a bit more discussion and to reach consensus on the when question here on-list, but never mind. Has anybody got results of testing the OCSP stapling code that they can share? I would be sympathetic to an on by default for 2.3.N campaign if the lobbying came with some successful test results. What code have you tested, how did it work, what configuration, what responder vendor, etc? Regards, Joe
Re: Enabling OCSP Stapling by default (was Re: mod_ssl ssl_util_stapling.c warnings)
On 2/9/2011 5:15 AM, Joe Orton wrote: On Wed, Feb 09, 2011 at 09:39:36AM +, Rob Stradling wrote: On Wednesday 05 Jan 2011 10:03:19 Rob Stradling wrote: On Friday 24 December 2010 16:24:03 Igor Galić wrote: snip If we want to see more extensive testing in the field, then this is the right time to make 'On' the default. Steve, has Igor persuaded you? I was hoping to generate a bit more discussion and to reach consensus on the when question here on-list, but never mind. Has anybody got results of testing the OCSP stapling code that they can share? I would be sympathetic to an on by default for 2.3.N campaign if the lobbying came with some successful test results. What code have you tested, how did it work, what configuration, what responder vendor, etc? FWIW www.apache.org was running OSCP for some time. It's temporarily disabled in light of the pending 1.0.0d update.
Re: mod_ssl ssl_util_stapling.c warnings
On Friday 24 December 2010 16:24:03 Igor Galić wrote: snip If we want to see more extensive testing in the field, then this is the right time to make 'On' the default. Steve, has Igor persuaded you? Rob Stradling Senior Research Development Scientist COMODO - Creating Trust Online
Re: mod_ssl ssl_util_stapling.c warnings
More significantly the code hasn't been tested extensively in the field so there may be problems that have yet to be uncovered. That's a fair point. My personal opinion would be to, at least initially, require an explicit directive to enable it and leave the option in future to have it enabled by default. Makes sense. tested extensively in the field isn't likely to happen until httpd 2.4.x is released and significant numbers of sites upgrade. Hopefully it would be safe to enable it by default in a fairly early 2.4.x point release. Anyone else have any thoughts on the matter? If we want to see more extensive testing in the field, then this is the right time to make 'On' the default. Steve. Rob Stradling Senior Research Development Scientist COMODO - Creating Trust Online i -- Igor Galić Tel: +43 (0) 664 886 22 883 Mail: i.ga...@brainsware.org URL: http://brainsware.org/
Re: mod_ssl ssl_util_stapling.c warnings
On Wednesday 22 December 2010 16:11:21 Dr Stephen Henson wrote: On 22/12/2010 15:32, Rob Stradling wrote: On Friday 03 December 2010 10:31:24 Rob Stradling wrote: snip Would it be possible to make OCSP Stapling enabled by default (when the server certificate contains an OCSP Responder URL in the AIA extension) instead of disabled by default? (Perhaps SSLUseStapling could be replaced by SSLDisableStapling) Steve et al, Could you possibly spare a moment to answer this question? I was seeing if anyone else would comment on this first. It is of course technically possible. The OCSP stapling code requires an additional directive to enable an OCSP stapling cache: so this would break existing configuration files if enabled by default. Would it be possible to change the OCSP stapling code so that it will setup the OCSP stapling cache with some sensible default settings if the SSLStaplingCache directive is not specified anywhere in the config files? More significantly the code hasn't been tested extensively in the field so there may be problems that have yet to be uncovered. That's a fair point. My personal opinion would be to, at least initially, require an explicit directive to enable it and leave the option in future to have it enabled by default. Makes sense. tested extensively in the field isn't likely to happen until httpd 2.4.x is released and significant numbers of sites upgrade. Hopefully it would be safe to enable it by default in a fairly early 2.4.x point release. Anyone else have any thoughts on the matter? Steve. Rob Stradling Senior Research Development Scientist COMODO - Creating Trust Online
Re: mod_ssl ssl_util_stapling.c warnings
On Friday 03 December 2010 10:31:24 Rob Stradling wrote: snip Would it be possible to make OCSP Stapling enabled by default (when the server certificate contains an OCSP Responder URL in the AIA extension) instead of disabled by default? (Perhaps SSLUseStapling could be replaced by SSLDisableStapling) Steve et al, Could you possibly spare a moment to answer this question? Thanks. I just wonder how many webmasters would bother to add SSLUseStapling on to their config files, even though OCSP Stapling benefits all parties. I understand that Microsoft IIS 7.x enables OCSP Stapling by default. Rob Stradling Senior Research Development Scientist COMODO - Creating Trust Online
Re: mod_ssl ssl_util_stapling.c warnings
On 22/12/2010 15:32, Rob Stradling wrote: On Friday 03 December 2010 10:31:24 Rob Stradling wrote: snip Would it be possible to make OCSP Stapling enabled by default (when the server certificate contains an OCSP Responder URL in the AIA extension) instead of disabled by default? (Perhaps SSLUseStapling could be replaced by SSLDisableStapling) Steve et al, Could you possibly spare a moment to answer this question? I was seeing if anyone else would comment on this first. It is of course technically possible. The OCSP stapling code requires an additional directive to enable an OCSP stapling cache: so this would break existing configuration files if enabled by default. More significantly the code hasn't been tested extensively in the field so there may be problems that have yet to be uncovered. My personal opinion would be to, at least initially, require an explicit directive to enable it and leave the option in future to have it enabled by default. Anyone else have any thoughts on the matter? Steve. -- Dr Stephen N. Henson. Senior Technical/Cryptography Advisor, Open Source Software Institute: www.oss-institute.org OpenSSL Core team: www.openssl.org
Re: mod_ssl ssl_util_stapling.c warnings
On Tuesday 30 November 2010 00:55:48 Dr Stephen Henson wrote: On 30/11/2010 00:03, Dr Stephen Henson wrote: On 29/11/2010 21:46, Guenter Knauf wrote: snip I think that we had some similar already in the past, and you suggested a change which was compatible with both 0.9.8 and 1.0.0 branches, but I cant recall ... Or do we need to cleanly solve this with some version-depent defines? See of the patch for bug #50121 resolves this for you. There's a slightly cleaner way of doing that r1040366 in trunk fixes it for me. Steve. Steve, thanks for cleaning and applying my patch. A quick question, if I may... Would it be possible to make OCSP Stapling enabled by default (when the server certificate contains an OCSP Responder URL in the AIA extension) instead of disabled by default? (Perhaps SSLUseStapling could be replaced by SSLDisableStapling) I just wonder how many webmasters would bother to add SSLUseStapling on to their config files, even though OCSP Stapling benefits all parties. I understand that Microsoft IIS 7.x enables OCSP Stapling by default. Rob Stradling Senior Research Development Scientist COMODO - Creating Trust Online
Re: mod_ssl ssl_util_stapling.c warnings
On 29/11/2010 21:46, Guenter Knauf wrote: Hi Steve, ssl_util_stapling.c issues warnings / breaks when compiled with OSSL 1.0.0; MSVC warns: \modules\ssl\ssl_util_stapling.c(140) : warning C4133: '=' : incompatible types - from 'struct stack_st_OPENSSL_STRING *' to 'struct stack_st_STRING *' C:\buildprep\httpd-2.3.x.10\modules\ssl\ssl_util_stapling.c(142) : warning C4133: 'function' : incompatible types - from 'struct stack_st_STRING *' to 'struct stack_st *' C:\buildprep\httpd-2.3.x.10\modules\ssl\ssl_util_stapling.c(148) : warning C4133: 'function' : incompatible types - from 'struct stack_st_STRING *' to 'struct stack_st_OPENSSL_STRING *' and my picky CodeWarrior breaks: Compiling ssl_util_stapling.c ### mwccnlm Compiler: #File: ssl_util_stapling.c # # 140: aia = X509_get1_ocsp(x); # Error: ^ # illegal implicit conversion from 'struct stack_st_OPENSSL_STRING *' to # 'struct stack_st_STRING *' ### mwccnlm Compiler: # 142: cinf-uri = sk_STRING_pop(aia); # Error: ^ # illegal implicit conversion from 'struct stack_st_STRING *' to # 'struct stack_st *' ### mwccnlm Compiler: # 148: X509_email_free(aia); # Error: ^ # illegal implicit conversion from 'struct stack_st_STRING *' to # 'struct stack_st_OPENSSL_STRING *' Errors caused tool to abort. I think that we had some similar already in the past, and you suggested a change which was compatible with both 0.9.8 and 1.0.0 branches, but I cant recall ... Or do we need to cleanly solve this with some version-depent defines? See of the patch for bug #50121 resolves this for you. Steve. -- Dr Stephen N. Henson. Senior Technical/Cryptography Advisor, Open Source Software Institute: www.oss-institute.org OpenSSL Core team: www.openssl.org
Re: mod_ssl ssl_util_stapling.c warnings
On 30/11/2010 00:03, Dr Stephen Henson wrote: On 29/11/2010 21:46, Guenter Knauf wrote: Hi Steve, ssl_util_stapling.c issues warnings / breaks when compiled with OSSL 1.0.0; MSVC warns: \modules\ssl\ssl_util_stapling.c(140) : warning C4133: '=' : incompatible types - from 'struct stack_st_OPENSSL_STRING *' to 'struct stack_st_STRING *' C:\buildprep\httpd-2.3.x.10\modules\ssl\ssl_util_stapling.c(142) : warning C4133: 'function' : incompatible types - from 'struct stack_st_STRING *' to 'struct stack_st *' C:\buildprep\httpd-2.3.x.10\modules\ssl\ssl_util_stapling.c(148) : warning C4133: 'function' : incompatible types - from 'struct stack_st_STRING *' to 'struct stack_st_OPENSSL_STRING *' and my picky CodeWarrior breaks: Compiling ssl_util_stapling.c ### mwccnlm Compiler: #File: ssl_util_stapling.c # # 140: aia = X509_get1_ocsp(x); # Error: ^ # illegal implicit conversion from 'struct stack_st_OPENSSL_STRING *' to # 'struct stack_st_STRING *' ### mwccnlm Compiler: # 142: cinf-uri = sk_STRING_pop(aia); # Error: ^ # illegal implicit conversion from 'struct stack_st_STRING *' to # 'struct stack_st *' ### mwccnlm Compiler: # 148: X509_email_free(aia); # Error: ^ # illegal implicit conversion from 'struct stack_st_STRING *' to # 'struct stack_st_OPENSSL_STRING *' Errors caused tool to abort. I think that we had some similar already in the past, and you suggested a change which was compatible with both 0.9.8 and 1.0.0 branches, but I cant recall ... Or do we need to cleanly solve this with some version-depent defines? See of the patch for bug #50121 resolves this for you. There's a slightly cleaner way of doing that r1040366 in trunk fixes it for me. Steve. -- Dr Stephen N. Henson. Senior Technical/Cryptography Advisor, Open Source Software Institute: www.oss-institute.org OpenSSL Core team: www.openssl.org
Re: mod_ssl ssl_util_stapling.c warnings
Am 30.11.2010 01:55, schrieb Dr Stephen Henson: See of the patch for bug #50121 resolves this for you. There's a slightly cleaner way of doing that r1040366 in trunk fixes it for me. thanks Steve, works fine. I've closed bug #50121. Gün.