RE: Query on OpenSSL for Certificate verification
Hi Kyle, Thanks for your valuable inputs, find my response inline. Then don't return from the original SSL_CTX_set_verify callback until you either: a) receive a valid OCSP response that says it's okay, b) receive a valid OCSP response that says it's not okay, c) receive an invalid OCSP response (i.e., OCSP failure), or d) time out. [Vijay] Blocking in the callback function is not feasible as our product operates in a single thread model for what so ever reason may be. If we block in the callback function there will be huge number of other events which will not be processed till we return from this function which is really costly for our kind of scenario. You're perilously close to a chicken and egg problem here: 1) You need the certificate to check 2) you cannot get the certificate to check until you attempt to make the connection 3) once you connect, you are stuck in a state machine where you haven't checked the certificate. [Vijay] You are very correct Some browsers try to handle this kind of situation by scanning HTML for links and pre-loading them to the cache. These tend not to work all that well. If you're returning asynchronously, then you also need to have a mechanism to send asynchronous exceptions. [Vijay] Could you please provide more details on this method? What these exceptions? How to report the status through these exceptions asynchronously? Please provide us a sample program and documentation regarding the exceptions. Also do you fore see any issues with this kind of approach? Either that, or you have to make it synchronous until the OCSP response is returned. [Vijay] I discussed with our team, Synchronous method is not feasible. Thanks again for your help. Regards Vijay -Original Message- From: Kyle Hamilton [mailto:aerow...@gmail.com] Sent: Tuesday, April 14, 2009 7:57 AM To: Vijay Kothamasu (vikotham) Cc: openssl-users@openssl.org; Kamalakanta Palei (kpalei); Jagadish Mynampati (jmynampa); Uma Sankar Panda (upanda) Subject: Re: Query on OpenSSL for Certificate verification Then don't return from the original SSL_CTX_set_verify callback until you either: a) receive a valid OCSP response that says it's okay, b) receive a valid OCSP response that says it's not okay, c) receive an invalid OCSP response (i.e., OCSP failure), or d) time out. You're perilously close to a chicken and egg problem here: 1) You need the certificate to check 2) you cannot get the certificate to check until you attempt to make the connection 3) once you connect, you are stuck in a state machine where you haven't checked the certificate. Some browsers try to handle this kind of situation by scanning HTML for links and pre-loading them to the cache. These tend not to work all that well. If you're returning asynchronously, then you also need to have a mechanism to send asynchronous exceptions. Either that, or you have to make it synchronous until the OCSP response is returned. -Kyle H On Mon, Apr 13, 2009 at 2:35 PM, Vijay Kothamasu (vikotham) vikot...@cisco.com wrote: Hi Kyle, Sorry for the delayed response, I am just back form my Vacation. Thank you so much for your response and the information provided. But even with the SSL_CTX_set_verify() callback invocation, the result of the certificate validation need to be returned in the context of the callback function itself in a synchronous manner. Where as in our scenario, the cert validation status is reported back in an Asynchronous manner as I explained earlier. I am just wondering how can I realize that scenario. Thanks again. Regards Vijay -Original Message- From: Kyle Hamilton [mailto:aerow...@gmail.com] Sent: Tuesday, April 07, 2009 12:26 PM To: openssl-users@openssl.org Cc: Kamalakanta Palei (kpalei); kvi...@gmail.com; Vijay Kothamasu (vikotham) Subject: Re: Query on OpenSSL for Certificate verification This is a protocol called OCSP, with its designated responder mechanism. If you want to implement it, call the OCSP functions with the DR address and the fields that OCSP needs during the SSL_CTX_set_verify() callback invocation; if you really need to, create two separate SSL_CTX contexts, one of which calls a function to check the certificate status, the other of which always passes (so that the DR certificate doesn't need to be in the client's local store). Note that I consider this insecure. First, the denial of service potential (the DR goes down). Second, man-in-the-middle or redirection attacks (the DR is replaced by a bogus one). Third, the entire point of X.509 is to allow for clients to have all the information they need to verify certificates in the absence of an online authority. For more information I suggest you read the cryptographic literature for the protocols that exist. -Kyle H On Mon, Apr 6, 2009 at 8:18 AM, Vijay Kothamasu (vikotham) vikot...@cisco.com wrote: Hi, I am just wondering if there is a way
RE: Query on OpenSSL for Certificate verification
Hi Kyle, We would have surely done that if the implementation is from scratch. But currently we are just trying to add a small enhancement to the existing functionality...:) Thanks for your help. Regards Vijay -Original Message- From: Kyle Hamilton [mailto:aerow...@gmail.com] Sent: Wednesday, April 15, 2009 2:40 AM To: Vijay Kothamasu (vikotham) Cc: openssl-users@openssl.org; Kamalakanta Palei (kpalei); Jagadish Mynampati (jmynampa); Uma Sankar Panda (upanda) Subject: Re: Query on OpenSSL for Certificate verification I'd be happy to, if you engage me as a contractor. -Kyle H On Tue, Apr 14, 2009 at 12:26 PM, Vijay Kothamasu (vikotham) vikot...@cisco.com wrote: Hi Kyle, Thanks for your valuable inputs, find my response inline. Then don't return from the original SSL_CTX_set_verify callback until you either: a) receive a valid OCSP response that says it's okay, b) receive a valid OCSP response that says it's not okay, c) receive an invalid OCSP response (i.e., OCSP failure), or d) time out. [Vijay] Blocking in the callback function is not feasible as our product operates in a single thread model for what so ever reason may be. If we block in the callback function there will be huge number of other events which will not be processed till we return from this function which is really costly for our kind of scenario. You're perilously close to a chicken and egg problem here: 1) You need the certificate to check 2) you cannot get the certificate to check until you attempt to make the connection 3) once you connect, you are stuck in a state machine where you haven't checked the certificate. [Vijay] You are very correct Some browsers try to handle this kind of situation by scanning HTML for links and pre-loading them to the cache. These tend not to work all that well. If you're returning asynchronously, then you also need to have a mechanism to send asynchronous exceptions. [Vijay] Could you please provide more details on this method? What these exceptions? How to report the status through these exceptions asynchronously? Please provide us a sample program and documentation regarding the exceptions. Also do you fore see any issues with this kind of approach? Either that, or you have to make it synchronous until the OCSP response is returned. [Vijay] I discussed with our team, Synchronous method is not feasible. Thanks again for your help. Regards Vijay -Original Message- From: Kyle Hamilton [mailto:aerow...@gmail.com] Sent: Tuesday, April 14, 2009 7:57 AM To: Vijay Kothamasu (vikotham) Cc: openssl-users@openssl.org; Kamalakanta Palei (kpalei); Jagadish Mynampati (jmynampa); Uma Sankar Panda (upanda) Subject: Re: Query on OpenSSL for Certificate verification Then don't return from the original SSL_CTX_set_verify callback until you either: a) receive a valid OCSP response that says it's okay, b) receive a valid OCSP response that says it's not okay, c) receive an invalid OCSP response (i.e., OCSP failure), or d) time out. You're perilously close to a chicken and egg problem here: 1) You need the certificate to check 2) you cannot get the certificate to check until you attempt to make the connection 3) once you connect, you are stuck in a state machine where you haven't checked the certificate. Some browsers try to handle this kind of situation by scanning HTML for links and pre-loading them to the cache. These tend not to work all that well. If you're returning asynchronously, then you also need to have a mechanism to send asynchronous exceptions. Either that, or you have to make it synchronous until the OCSP response is returned. -Kyle H On Mon, Apr 13, 2009 at 2:35 PM, Vijay Kothamasu (vikotham) vikot...@cisco.com wrote: Hi Kyle, Sorry for the delayed response, I am just back form my Vacation. Thank you so much for your response and the information provided. But even with the SSL_CTX_set_verify() callback invocation, the result of the certificate validation need to be returned in the context of the callback function itself in a synchronous manner. Where as in our scenario, the cert validation status is reported back in an Asynchronous manner as I explained earlier. I am just wondering how can I realize that scenario. Thanks again. Regards Vijay -Original Message- From: Kyle Hamilton [mailto:aerow...@gmail.com] Sent: Tuesday, April 07, 2009 12:26 PM To: openssl-users@openssl.org Cc: Kamalakanta Palei (kpalei); kvi...@gmail.com; Vijay Kothamasu (vikotham) Subject: Re: Query on OpenSSL for Certificate verification This is a protocol called OCSP, with its designated responder mechanism. If you want to implement it, call the OCSP functions with the DR address and the fields that OCSP needs during the SSL_CTX_set_verify() callback invocation; if you really need to, create two separate SSL_CTX contexts, one of which calls
RE: Query on OpenSSL for Certificate verification
Hi Kyle, Sorry for the delayed response, I am just back form my Vacation. Thank you so much for your response and the information provided. But even with the SSL_CTX_set_verify() callback invocation, the result of the certificate validation need to be returned in the context of the callback function itself in a synchronous manner. Where as in our scenario, the cert validation status is reported back in an Asynchronous manner as I explained earlier. I am just wondering how can I realize that scenario. Thanks again. Regards Vijay -Original Message- From: Kyle Hamilton [mailto:aerow...@gmail.com] Sent: Tuesday, April 07, 2009 12:26 PM To: openssl-users@openssl.org Cc: Kamalakanta Palei (kpalei); kvi...@gmail.com; Vijay Kothamasu (vikotham) Subject: Re: Query on OpenSSL for Certificate verification This is a protocol called OCSP, with its designated responder mechanism. If you want to implement it, call the OCSP functions with the DR address and the fields that OCSP needs during the SSL_CTX_set_verify() callback invocation; if you really need to, create two separate SSL_CTX contexts, one of which calls a function to check the certificate status, the other of which always passes (so that the DR certificate doesn't need to be in the client's local store). Note that I consider this insecure. First, the denial of service potential (the DR goes down). Second, man-in-the-middle or redirection attacks (the DR is replaced by a bogus one). Third, the entire point of X.509 is to allow for clients to have all the information they need to verify certificates in the absence of an online authority. For more information I suggest you read the cryptographic literature for the protocols that exist. -Kyle H On Mon, Apr 6, 2009 at 8:18 AM, Vijay Kothamasu (vikotham) vikot...@cisco.com wrote: Hi, I am just wondering if there is a way to realize the following scenario with the help of OpenSSL libraries, here is the brief explanation in this regard. - I have a client and Server who need to setup a secure connection using TLS/SSL. But as part of handshake Server sends its certificate to the Client. But Client doesn't have any certificates with it to Authenticate the certificate, rather it needs to communicate (a non-blocking call )with another entity(like Certificate Authority (CA) ) to get the certificate validated. This CA will look through its list of certificates to authenticate the it and inform back to the Client in an Asynchronous manner(may be some callback) that the certificate is valid. Now the Client will proceed further with the Server to complete the Handshake and setup the connection. Here is a pictorial description of this scenario for better clarity - I went through the available documentation, to the best of my understanding I couldn't find the library APIs(SSL/BIO/X509) to realize the above scenario. Is there any way to fit in the above verification setup as part of the handshake? It will be of great help if anybody can provide me the pointers in this regard. Thanks for your help in advance. Regards Vijay __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Query on OpenSSL for Certificate verification
Hi, I am just wondering if there is a way to realize the following scenario with the help of OpenSSL libraries, here is the brief explanation in this regard. - I have a client and Server who need to setup a secure connection using TLS/SSL. But as part of handshake Server sends its certificate to the Client. But Client doesn't have any certificates with it to Authenticate the certificate, rather it needs to communicate (a non-blocking call )with another entity(like Certificate Authority (CA) ) to get the certificate validated. This CA will look through its list of certificates to authenticate the it and inform back to the Client in an Asynchronous manner(may be some callback) that the certificate is valid. Now the Client will proceed further with the Server to complete the Handshake and setup the connection. Here is a pictorial description of this scenario for better clarity - I went through the available documentation, to the best of my understanding I couldn't find the library APIs(SSL/BIO/X509) to realize the above scenario. Is there any way to fit in the above verification setup as part of the handshake? It will be of great help if anybody can provide me the pointers in this regard. Thanks for your help in advance. Regards Vijay att4d85f.jpg