Re: server-side OCSP stapling

[Robert Relyea]

On 03/01/2016 02:19 PM, Martin Thomson wrote:

AIUI,  support for stapling in NSS is pretty primitive. You are expected to
make the OCSP query yourself and use the API to configure the server.


IIRC the API to fetch the ocsp response is mostly application code. NSS 
has a simple http request function that can fetch the request if the 
application doesn't supply one (which doesn't know about proxies, etc.). 
You could override the http fetch function, then validate your cert 
change and squirrel way the OCSP response before you pass it off to NSS. 
That's probably the simplest way of getting it.


I think You just need the blob, not the parsed blob.

bob

On Mar 2, 2016 7:42 AM, "Rob Crittenden"  wrote:


I don't see a way to implement OCSP stapling on the server side.

SSL_SetStapledOCSPResponses() is I think what one would use to set the
response in the SSL session but I don't see a way to get the response
from the OCSP handler. At least, I don't see a way without implementing
my own status checker and overriding statusConfig->statusChecker ala
CERT_EnableOCSPChecking().

Am I missing something?

thanks

rob
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto






smime.p7s
Description: S/MIME Cryptographic Signature
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: server-side OCSP stapling

[Martin Thomson]

AIUI,  support for stapling in NSS is pretty primitive. You are expected to
make the OCSP query yourself and use the API to configure the server.
On Mar 2, 2016 7:42 AM, "Rob Crittenden"  wrote:

> I don't see a way to implement OCSP stapling on the server side.
>
> SSL_SetStapledOCSPResponses() is I think what one would use to set the
> response in the SSL session but I don't see a way to get the response
> from the OCSP handler. At least, I don't see a way without implementing
> my own status checker and overriding statusConfig->statusChecker ala
> CERT_EnableOCSPChecking().
>
> Am I missing something?
>
> thanks
>
> rob
> --
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

server-side OCSP stapling

[Rob Crittenden]

I don't see a way to implement OCSP stapling on the server side.

SSL_SetStapledOCSPResponses() is I think what one would use to set the
response in the SSL session but I don't see a way to get the response
from the OCSP handler. At least, I don't see a way without implementing
my own status checker and overriding statusConfig->statusChecker ala
CERT_EnableOCSPChecking().

Am I missing something?

thanks

rob
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

GSoC mentor wanted

[David Woodhouse]

I have a promising GSoC candidate who is interested in working on bug
1162897 (RFC7512 URI support¹), and potentially also on bug 248722
(honour the system-wide configuration for PKCs#11 modules, when it
exists²).

I am more than happy to co-mentor, but I think it *really* needs a
proper NSS developer to be the primary mentor. Could I interest anyone
in helping out, please?

This is a really useful project. Applications built against OpenSSL or
GnuTLS will transparently load the PKCS#11 tokens specified by the
system configuration, and allow objects therein to be identified by
their PKCS#11 URI. This consistency is a Good Thing™, and the Fedora
distribution at least has explicit packaging guidelines that its
packages SHOULD behave this way.

So Fedora has open bugs against its curl package, for example, which
could *only* be resolved right now by building curl against GnuTLS
instead of NSS.

This is obviously not the ideal solution; let's make NSS play nicely
too :)

-- 
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com  Intel Corporation


¹ https://bugzilla.mozilla.org/show_bug.cgi?id=1162897
² https://bugzilla.mozilla.org/show_bug.cgi?id=248722


smime.p7s
Description: S/MIME cryptographic signature
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto