Re: server-side OCSP stapling
On 03/01/2016 02:19 PM, Martin Thomson wrote: AIUI, support for stapling in NSS is pretty primitive. You are expected to make the OCSP query yourself and use the API to configure the server. IIRC the API to fetch the ocsp response is mostly application code. NSS has a simple http request function that can fetch the request if the application doesn't supply one (which doesn't know about proxies, etc.). You could override the http fetch function, then validate your cert change and squirrel way the OCSP response before you pass it off to NSS. That's probably the simplest way of getting it. I think You just need the blob, not the parsed blob. bob On Mar 2, 2016 7:42 AM, "Rob Crittenden"wrote: I don't see a way to implement OCSP stapling on the server side. SSL_SetStapledOCSPResponses() is I think what one would use to set the response in the SSL session but I don't see a way to get the response from the OCSP handler. At least, I don't see a way without implementing my own status checker and overriding statusConfig->statusChecker ala CERT_EnableOCSPChecking(). Am I missing something? thanks rob -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto smime.p7s Description: S/MIME Cryptographic Signature -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: server-side OCSP stapling
AIUI, support for stapling in NSS is pretty primitive. You are expected to make the OCSP query yourself and use the API to configure the server. On Mar 2, 2016 7:42 AM, "Rob Crittenden"wrote: > I don't see a way to implement OCSP stapling on the server side. > > SSL_SetStapledOCSPResponses() is I think what one would use to set the > response in the SSL session but I don't see a way to get the response > from the OCSP handler. At least, I don't see a way without implementing > my own status checker and overriding statusConfig->statusChecker ala > CERT_EnableOCSPChecking(). > > Am I missing something? > > thanks > > rob > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
server-side OCSP stapling
I don't see a way to implement OCSP stapling on the server side. SSL_SetStapledOCSPResponses() is I think what one would use to set the response in the SSL session but I don't see a way to get the response from the OCSP handler. At least, I don't see a way without implementing my own status checker and overriding statusConfig->statusChecker ala CERT_EnableOCSPChecking(). Am I missing something? thanks rob -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
GSoC mentor wanted
I have a promising GSoC candidate who is interested in working on bug 1162897 (RFC7512 URI support¹), and potentially also on bug 248722 (honour the system-wide configuration for PKCs#11 modules, when it exists²). I am more than happy to co-mentor, but I think it *really* needs a proper NSS developer to be the primary mentor. Could I interest anyone in helping out, please? This is a really useful project. Applications built against OpenSSL or GnuTLS will transparently load the PKCS#11 tokens specified by the system configuration, and allow objects therein to be identified by their PKCS#11 URI. This consistency is a Good Thing™, and the Fedora distribution at least has explicit packaging guidelines that its packages SHOULD behave this way. So Fedora has open bugs against its curl package, for example, which could *only* be resolved right now by building curl against GnuTLS instead of NSS. This is obviously not the ideal solution; let's make NSS play nicely too :) -- David WoodhouseOpen Source Technology Centre david.woodho...@intel.com Intel Corporation ¹ https://bugzilla.mozilla.org/show_bug.cgi?id=1162897 ² https://bugzilla.mozilla.org/show_bug.cgi?id=248722 smime.p7s Description: S/MIME cryptographic signature -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto