Re: [WIP/RFC] Certificate Status Request (aka OCSP stapling)
Date: Thu, 17 Jul 2014 13:01:44 +0200
On Mon, Jun 16, 2014 at 11:15:20PM +0200, Alessandro Ghedini wrote:
> I spent the afternoon fighting with OpenSSL and GnuTLS documentation trying to
> add support for OCSP stapling to libcurl.
> The result is a mostly-not-working-but-you-get-the-idea implementation for both
> the OpenSSL and GnuTLS backends (I haven't even looked at NSS but it shouldn't
> be hard).
> The core of this is the new CURLOPT_SSL_VERIFYSTATUS which tells libcurl whether
> to request and check the certificate status or not. This could also be used in
> the future if someone decides to implement full-blown OCSP (e.g. if stapling
> isn't available on the server do full OCSP, or something like that), or even to
> allow the user to provide the OCSP response via other means, etc...
> I've also added the new --cert-status option, which enables this functionality
> for curl (it isn't enabled by default because most servers don't support this).
> You can see my patches at  (in the branch "status_request").
> Now the problems:
> * in the OpenSSL backend, the call to OCSP_basic_verify() always fails for some
> reason. I'm pretty sure I'm not using it correctly, but I don't know why...
> obviously there's no documentation at all for that. Could someone with more
> OpenSSL experience look into it?
> * in the GnuTLS backend, well, I'm not sure whose fault it is but the parsing
> of the OCSP response always fails (the gnutls_ocsp_resp_import() call, which
> is also called by gnutls_ocsp_status_request_is_checked() internally, and I
> guess that's why it fails too). It require GnuTLS 3.1.3 or higher btw.
> I'm not well versed in TLS libraries so I may have done something very wrong,
> but it's a start I guess. I'd appreciate comments and help.
Just a quick status update: I did some clean-up, but the OpenSSL and GnuTLS
backends are still broken. On the other hand, the NSS one seems to work fine.
Leaving the specific backends aside, I'd like to know if the API mechanism (the
new CURLOPT_SSL_VERIFYSTATUS option) is ok, or if anyone has a better idea (same
goes for the --cert-status command-line option).
I don't have much time to work on this though, so if anyone is interested feel
free to jump in (given the dead discussion I'm not sure if there even is someone
interested, but whatever).
- application/pgp-signature attachment: Digital signature