Re: mod_mdv2: stapling
Please have a look in trunk if the current implenentation is what you had in mind. Cheers, Stefan > Am 24.06.2019 um 17:39 schrieb Graham Leggett : > > On 24 Jun 2019, at 17:25, Stefan Eissing wrote: > >> You mean optional hooks by mod_ssl so that mod_md or someone else can take >> over? > > Yes. > > I while back I was looking at supporting an arbitrary collections of > certificates instead of discrete certs per virtual hosts, and the md optional > function was right where a hook would go. I've been meaning to fix this, but > I’m drowing in stuff right now. > > Regards, > Graham > — >
Re: mod_mdv2: stapling
On 24 Jun 2019, at 17:25, Stefan Eissing wrote: > You mean optional hooks by mod_ssl so that mod_md or someone else can take > over? Yes. I while back I was looking at supporting an arbitrary collections of certificates instead of discrete certs per virtual hosts, and the md optional function was right where a hook would go. I've been meaning to fix this, but I’m drowing in stuff right now. Regards, Graham — smime.p7s Description: S/MIME cryptographic signature
Re: mod_mdv2: stapling
You mean optional hooks by mod_ssl so that mod_md or someone else can take over? > Am 24.06.2019 um 17:23 schrieb Graham Leggett : > > On 24 Jun 2019, at 17:12, Stefan Eissing wrote: > >> General interworking mod_ssl <-> mod_md: 2 new optional functions: > > One quick thing I wanted to bring up a while back - rather than optional > functions which can only ever be provided by a single implementation, can > these be hooks instead? > > A hook allows additional modules to modify the behaviour if we want to in the > future, without replacing mod_md. > > Regards, > Graham > — >
Re: mod_mdv2: stapling
On 24 Jun 2019, at 17:12, Stefan Eissing wrote: > General interworking mod_ssl <-> mod_md: 2 new optional functions: One quick thing I wanted to bring up a while back - rather than optional functions which can only ever be provided by a single implementation, can these be hooks instead? A hook allows additional modules to modify the behaviour if we want to in the future, without replacing mod_md. Regards, Graham — smime.p7s Description: S/MIME cryptographic signature
mod_mdv2: stapling
I am looking for feedback and harsh critics from this excellent group of people here. If you see mistakes or have ideas on improving, I'd appreciate it. Cheers, Stefan The new OCSP stapling implementation in mod_md will: - be for server certificates in virtual hosts - co-exist with existing mod_ssl ocsp stapling - be watchdog driven, file system persisted Features of mod_ssl stapling I do not plan to implement: - SSLStaplingFakeTryLater: either we have a response or not. if not, nothing is set in the response. On must-staple, clients will fail. - SSLStaplingForceURL: think I do not need it for the test setup. - SSLStaplingResponseMaxAge: there will be a "renew window" instead. So watchdog will get a new response x amount of time before the existing expires - SSLStaplingResponseTimeSkew: I see no need. - SSLStaplingReturnResponderErrors: error from OCSP responders are detected by the watchdog and logged. Clients only see valid stapling or no stapling. Maybe I am missing a use case here. If you are aware of one (e.g. need for time skew), please let me know. General interworking mod_ssl <-> mod_md: 2 new optional functions: apr_status_t md_stapling_init_cert(server_rec *s, X509 *cert, ...) apr_status_t md_stapling_get_response(md_oscp_response **prsp, server_rec *s, X509 *cert, conn_rec *c...) Via "MDStapling on|off", the admin can control the new stapling for all or just a particular MD. Via "MDStapling all", the new stapling would apply to all certificates, even those not covered by an MD. md_stapling_init_cert(...) will return: APR_SUCCESS, when mod_md takes over stapling of this server_rec APR_ENOTIMPL, when it does not and mod_ssl shall continue as it does now otherwise, a real error happened. md_stapling_get_response(...) will return: APR_SUCCESS with a valid response APR_ENOENT if no valid response is available APR_ENOTIMPL if mod_md does not provide stapling for this server/cert otherwise, a real error happened.
