subject:"\[patch\] relayd OCSP stapling for TLS server"

Re: [patch] relayd OCSP stapling for TLS server

2019-06-22 Thread Bruno Flueckiger

On 22.06., Theo Buehler wrote:
> On Fri, Jun 21, 2019 at 01:28:03PM +0200, Reyk Floeter wrote:
> > On Thu, Jun 20, 2019 at 07:58:10PM +0200, Bruno Flueckiger wrote:
> > > Hi,
> > >
> > > The patch below adds OCSP stapling to the TLS server in relayd(8). The
> > > OCSP response is read from a binary encoded DER file that can be created
> > > using ocspcheck(8).
> > >
> > > If a file with the same name as the certificate and private key files is
> > > found, its content is loaded and OCSP stapling is active. If there is no
> > > file or loading its content fails, OCSP stapling remains disabled.
> > >
> > > relayd(8) uses the same mechanism it uses to find the certificate file,
> > > only the file name extension is different: .der instead of .pem
> > >
> >
> > I had this diff finished more than a month ago, but it had to wait for
> > the SNI diff to go in.  It is suprisingly similar to your version
> > except some minor difference in relay_tls_ctx_create(), the man page,
> > and the fact that I've decided for using ".ocsp" instead of ".der" for
> > the ending (as .der could be anything).
> >
> > OK?
>
> Reads fine. Would be nice to hear that this works for Bruno, but it is
>
> ok tb
>

I like ".ocsp" better than ".der". And I'm a bit proud that my diff
turns out to be good, although late :-). It works for me.

Bruno

Re: [patch] relayd OCSP stapling for TLS server

2019-06-21 Thread Theo Buehler

On Fri, Jun 21, 2019 at 01:28:03PM +0200, Reyk Floeter wrote:
> On Thu, Jun 20, 2019 at 07:58:10PM +0200, Bruno Flueckiger wrote:
> > Hi,
> > 
> > The patch below adds OCSP stapling to the TLS server in relayd(8). The
> > OCSP response is read from a binary encoded DER file that can be created
> > using ocspcheck(8).
> > 
> > If a file with the same name as the certificate and private key files is
> > found, its content is loaded and OCSP stapling is active. If there is no
> > file or loading its content fails, OCSP stapling remains disabled.
> > 
> > relayd(8) uses the same mechanism it uses to find the certificate file,
> > only the file name extension is different: .der instead of .pem
> > 
> 
> I had this diff finished more than a month ago, but it had to wait for
> the SNI diff to go in.  It is suprisingly similar to your version
> except some minor difference in relay_tls_ctx_create(), the man page,
> and the fact that I've decided for using ".ocsp" instead of ".der" for
> the ending (as .der could be anything).
> 
> OK?

Reads fine. Would be nice to hear that this works for Bruno, but it is

ok tb

Re: [patch] relayd OCSP stapling for TLS server

2019-06-21 Thread Reyk Floeter

On Thu, Jun 20, 2019 at 07:58:10PM +0200, Bruno Flueckiger wrote:
> Hi,
> 
> The patch below adds OCSP stapling to the TLS server in relayd(8). The
> OCSP response is read from a binary encoded DER file that can be created
> using ocspcheck(8).
> 
> If a file with the same name as the certificate and private key files is
> found, its content is loaded and OCSP stapling is active. If there is no
> file or loading its content fails, OCSP stapling remains disabled.
> 
> relayd(8) uses the same mechanism it uses to find the certificate file,
> only the file name extension is different: .der instead of .pem
> 

I had this diff finished more than a month ago, but it had to wait for
the SNI diff to go in.  It is suprisingly similar to your version
except some minor difference in relay_tls_ctx_create(), the man page,
and the fact that I've decided for using ".ocsp" instead of ".der" for
the ending (as .der could be anything).

OK?

Reyk

Index: usr.sbin/relayd/config.c
===
RCS file: /cvs/src/usr.sbin/relayd/config.c,v
retrieving revision 1.39
diff -u -p -u -p -r1.39 config.c
--- usr.sbin/relayd/config.c1 Jun 2019 09:54:19 -   1.39
+++ usr.sbin/relayd/config.c21 Jun 2019 11:11:05 -
@@ -903,6 +903,16 @@ config_setrelay(struct relayd *env, stru
rlay->rl_conf.name);
return (-1);
}
+   if (id == PROC_RELAY &&
+   cert->cert_ocsp_fd != -1 &&
+   config_setrelayfd(ps, id, n,
+   cert->cert_id, cert->cert_relayid,
+   RELAY_FD_OCSP, cert->cert_ocsp_fd) == -1) {
+   log_warn("%s: fd passing failed for "
+   "`%s'", __func__,
+   rlay->rl_conf.name);
+   return (-1);
+   }
if (id == PROC_CA &&
cert->cert_key_fd != -1 &&
config_setrelayfd(ps, id, n,
@@ -992,6 +1002,10 @@ config_setrelay(struct relayd *env, stru
close(cert->cert_key_fd);
cert->cert_key_fd = -1;
}
+   if (cert->cert_ocsp_fd != -1) {
+   close(cert->cert_ocsp_fd);
+   cert->cert_ocsp_fd = -1;
+   }
}
 
return (0);
@@ -1113,6 +1127,7 @@ config_getrelayfd(struct relayd *env, st
switch (crfd.type) {
case RELAY_FD_CERT:
case RELAY_FD_KEY:
+   case RELAY_FD_OCSP:
if ((cert = cert_find(env, crfd.id)) == NULL) {
if ((cert = cert_add(env, crfd.id)) == NULL)
return (-1);
@@ -1133,6 +1148,9 @@ config_getrelayfd(struct relayd *env, st
break;
case RELAY_FD_KEY:
cert->cert_key_fd = imsg->fd;
+   break;
+   case RELAY_FD_OCSP:
+   cert->cert_ocsp_fd = imsg->fd;
break;
case RELAY_FD_CACERT:
rlay->rl_tls_ca_fd = imsg->fd;
Index: usr.sbin/relayd/relay.c
===
RCS file: /cvs/src/usr.sbin/relayd/relay.c,v
retrieving revision 1.247
diff -u -p -u -p -r1.247 relay.c
--- usr.sbin/relayd/relay.c 31 May 2019 15:15:37 -  1.247
+++ usr.sbin/relayd/relay.c 21 Jun 2019 11:11:06 -
@@ -2130,8 +2130,8 @@ relay_tls_ctx_create(struct relay *rlay)
struct relay_cert   *cert;
const char  *fake_key;
int  fake_keylen, keyfound = 0;
-   char*buf = NULL, *cabuf = NULL;
-   off_tlen = 0, calen = 0;
+   char*buf = NULL, *cabuf = NULL, *ocspbuf = NULL;
+   off_tlen = 0, calen = 0, ocsplen = 0;
 
if ((tls_cfg = tls_config_new()) == NULL) {
log_warnx("unable to allocate TLS config");
@@ -2203,6 +2203,16 @@ relay_tls_ctx_create(struct relay *rlay)
}
cert->cert_fd = -1;
 
+   if (cert->cert_ocsp_fd != -1 &&
+   (ocspbuf = relay_load_fd(cert->cert_ocsp_fd,
+   &ocsplen)) == NULL) {
+   log_warn("failed to load OCSP staplefile");
+   goto err;
+   }
+   if (ocsplen == 0)
+   purge_key(&ocspbuf, ocsplen);
+   cert->cert_ocsp_fd = -1;
+
if ((fake_keylen = ssl_ctx_fake_private_key(buf, len,

Re: [patch] relayd OCSP stapling for TLS server

2019-06-20 Thread Reyk Floeter

Hi Bruno,

thanks for your efforts. I‘ve already written an OCSP patch which was being 
delayed in review.

I don’t have the patch at hand but you can see the branch at 
https://github.com/reyk/relayd/tree/ocsp

Reyk

> Am 20.06.2019 um 19:58 schrieb Bruno Flueckiger :
> 
> Hi,
> 
> The patch below adds OCSP stapling to the TLS server in relayd(8). The
> OCSP response is read from a binary encoded DER file that can be created
> using ocspcheck(8).
> 
> If a file with the same name as the certificate and private key files is
> found, its content is loaded and OCSP stapling is active. If there is no
> file or loading its content fails, OCSP stapling remains disabled.
> 
> relayd(8) uses the same mechanism it uses to find the certificate file,
> only the file name extension is different: .der instead of .pem
> 
> Cheers,
> Bruno
> 
> Index: usr.sbin/relayd/config.c
> ===
> RCS file: /cvs/src/usr.sbin/relayd/config.c,v
> retrieving revision 1.39
> diff -u -p -r1.39 config.c
> --- usr.sbin/relayd/config.c1 Jun 2019 09:54:19 -1.39
> +++ usr.sbin/relayd/config.c20 Jun 2019 17:37:09 -
> @@ -913,6 +913,14 @@ config_setrelay(struct relayd *env, stru
>rlay->rl_conf.name);
>return (-1);
>}
> +if (cert->cert_ocsp_fd != -1 &&
> +config_setrelayfd(ps, id, n,
> +cert->cert_id, cert->cert_relayid,
> +RELAY_FD_OCSP, cert->cert_ocsp_fd) == -1) {
> +log_warn("%s: fd passing failed for "
> +"`%s'", __func__,
> +rlay->rl_conf.name);
> +}
>}
>}
> 
> @@ -992,6 +1000,10 @@ config_setrelay(struct relayd *env, stru
>close(cert->cert_key_fd);
>cert->cert_key_fd = -1;
>}
> +if (cert->cert_ocsp_fd != -1) {
> +close(cert->cert_ocsp_fd);
> +cert->cert_ocsp_fd = -1;
> +}
>}
> 
>return (0);
> @@ -1113,6 +1125,7 @@ config_getrelayfd(struct relayd *env, st
>switch (crfd.type) {
>case RELAY_FD_CERT:
>case RELAY_FD_KEY:
> +case RELAY_FD_OCSP:
>if ((cert = cert_find(env, crfd.id)) == NULL) {
>if ((cert = cert_add(env, crfd.id)) == NULL)
>return (-1);
> @@ -1139,6 +1152,9 @@ config_getrelayfd(struct relayd *env, st
>break;
>case RELAY_FD_CAFILE:
>rlay->rl_tls_cacert_fd = imsg->fd;
> +break;
> +case RELAY_FD_OCSP:
> +cert->cert_ocsp_fd = imsg->fd;
>break;
>}
> 
> Index: usr.sbin/relayd/relay.c
> ===
> RCS file: /cvs/src/usr.sbin/relayd/relay.c,v
> retrieving revision 1.247
> diff -u -p -r1.247 relay.c
> --- usr.sbin/relayd/relay.c31 May 2019 15:15:37 -1.247
> +++ usr.sbin/relayd/relay.c20 Jun 2019 17:37:09 -
> @@ -2130,8 +2130,8 @@ relay_tls_ctx_create(struct relay *rlay)
>struct relay_cert*cert;
>const char*fake_key;
>int fake_keylen, keyfound = 0;
> -char*buf = NULL, *cabuf = NULL;
> -off_t len = 0, calen = 0;
> +char*buf = NULL, *cabuf = NULL, *ocspbuf = NULL;
> +off_t len = 0, calen = 0, ocsplen = 0;
> 
>if ((tls_cfg = tls_config_new()) == NULL) {
>log_warnx("unable to allocate TLS config");
> @@ -2209,9 +2209,19 @@ relay_tls_ctx_create(struct relay *rlay)
>goto err;
>}
> 
> +if (cert->cert_ocsp_fd == -1)
> +goto without;
> +
> +if ((ocspbuf = relay_load_fd(cert->cert_ocsp_fd,
> +&ocsplen)) == NULL) {
> +log_warn("failed to load ocsp staple");
> +ocsplen = 0;
> +}
> +
> + without:
>if (keyfound == 1 &&
>tls_config_set_keypair_ocsp_mem(tls_cfg, buf, len,
> -fake_key, fake_keylen, NULL, 0) != 0) {
> +fake_key, fake_keylen, ocspbuf, ocsplen) != 0) {
>log_warnx("failed to set tls certificate: %s",
>tls_config_error(tls_cfg));
>goto err;
> @@ -2223,7 +2233,7 @@ relay_tls_ctx_create(struct relay *rlay)
>goto err;
> 
>if (tls_config_add_keypair_ocsp_mem(tls_cfg, buf, len,
> -fake_key, fake_keylen, NULL, 0) != 0) {
> +fake_key, fake_keylen, ocspbuf, ocsplen) != 0) {
>log_warnx("failed to add tls certificate: %s",
>tls_config_error(tls_cfg));
>goto err;
> Index: usr.sbin/relayd/relayd.c
> ===
> RCS file: /cvs/src/usr.sbin/relayd/relayd.c,v
> retrieving revision 1.179
> diff -u -p -r1.179 relayd.c
> --- usr.sbin/relayd/relayd.c31 May 2019 15:25:57 -0

[patch] relayd OCSP stapling for TLS server

2019-06-20 Thread Bruno Flueckiger

Hi,

The patch below adds OCSP stapling to the TLS server in relayd(8). The
OCSP response is read from a binary encoded DER file that can be created
using ocspcheck(8).

If a file with the same name as the certificate and private key files is
found, its content is loaded and OCSP stapling is active. If there is no
file or loading its content fails, OCSP stapling remains disabled.

relayd(8) uses the same mechanism it uses to find the certificate file,
only the file name extension is different: .der instead of .pem

Cheers,
Bruno

Index: usr.sbin/relayd/config.c
===
RCS file: /cvs/src/usr.sbin/relayd/config.c,v
retrieving revision 1.39
diff -u -p -r1.39 config.c
--- usr.sbin/relayd/config.c1 Jun 2019 09:54:19 -   1.39
+++ usr.sbin/relayd/config.c20 Jun 2019 17:37:09 -
@@ -913,6 +913,14 @@ config_setrelay(struct relayd *env, stru
rlay->rl_conf.name);
return (-1);
}
+   if (cert->cert_ocsp_fd != -1 &&
+   config_setrelayfd(ps, id, n,
+   cert->cert_id, cert->cert_relayid,
+   RELAY_FD_OCSP, cert->cert_ocsp_fd) == -1) {
+   log_warn("%s: fd passing failed for "
+   "`%s'", __func__,
+   rlay->rl_conf.name);
+   }
}
}

@@ -992,6 +1000,10 @@ config_setrelay(struct relayd *env, stru
close(cert->cert_key_fd);
cert->cert_key_fd = -1;
}
+   if (cert->cert_ocsp_fd != -1) {
+   close(cert->cert_ocsp_fd);
+   cert->cert_ocsp_fd = -1;
+   }
}

return (0);
@@ -1113,6 +1125,7 @@ config_getrelayfd(struct relayd *env, st
switch (crfd.type) {
case RELAY_FD_CERT:
case RELAY_FD_KEY:
+   case RELAY_FD_OCSP:
if ((cert = cert_find(env, crfd.id)) == NULL) {
if ((cert = cert_add(env, crfd.id)) == NULL)
return (-1);
@@ -1139,6 +1152,9 @@ config_getrelayfd(struct relayd *env, st
break;
case RELAY_FD_CAFILE:
rlay->rl_tls_cacert_fd = imsg->fd;
+   break;
+   case RELAY_FD_OCSP:
+   cert->cert_ocsp_fd = imsg->fd;
break;
}

Index: usr.sbin/relayd/relay.c
===
RCS file: /cvs/src/usr.sbin/relayd/relay.c,v
retrieving revision 1.247
diff -u -p -r1.247 relay.c
--- usr.sbin/relayd/relay.c 31 May 2019 15:15:37 -  1.247
+++ usr.sbin/relayd/relay.c 20 Jun 2019 17:37:09 -
@@ -2130,8 +2130,8 @@ relay_tls_ctx_create(struct relay *rlay)
struct relay_cert   *cert;
const char  *fake_key;
int  fake_keylen, keyfound = 0;
-   char*buf = NULL, *cabuf = NULL;
-   off_tlen = 0, calen = 0;
+   char*buf = NULL, *cabuf = NULL, *ocspbuf = NULL;
+   off_tlen = 0, calen = 0, ocsplen = 0;

if ((tls_cfg = tls_config_new()) == NULL) {
log_warnx("unable to allocate TLS config");
@@ -2209,9 +2209,19 @@ relay_tls_ctx_create(struct relay *rlay)
goto err;
}

+   if (cert->cert_ocsp_fd == -1)
+   goto without;
+
+   if ((ocspbuf = relay_load_fd(cert->cert_ocsp_fd,
+   &ocsplen)) == NULL) {
+   log_warn("failed to load ocsp staple");
+   ocsplen = 0;
+   }
+
+ without:
if (keyfound == 1 &&
tls_config_set_keypair_ocsp_mem(tls_cfg, buf, len,
-   fake_key, fake_keylen, NULL, 0) != 0) {
+   fake_key, fake_keylen, ocspbuf, ocsplen) != 0) {
log_warnx("failed to set tls certificate: %s",
tls_config_error(tls_cfg));
goto err;
@@ -2223,7 +2233,7 @@ relay_tls_ctx_create(struct relay *rlay)
goto err;

if (tls_config_add_keypair_ocsp_mem(tls_cfg, buf, len,
-   fake_key, fake_keylen, NULL, 0) != 0) {
+   fake_key, fake_keylen, ocspbuf, ocsplen) != 0) {
log_warnx("failed to add tls certificate: %s",
tls_config_error(t

Re: [patch] relayd OCSP stapling for TLS server

Re: [patch] relayd OCSP stapling for TLS server

Re: [patch] relayd OCSP stapling for TLS server

Re: [patch] relayd OCSP stapling for TLS server

[patch] relayd OCSP stapling for TLS server

5 matches

Site Navigation

Mail list logo

Footer information