cURL / Mailing Lists / curl-library / Single Mail

curl-library

[PATCH v2] OCSP stapling for GnuTLS and NSS

From: Alessandro Ghedini <alessandro_at_ghedini.me>
Date: Thu, 8 Jan 2015 12:08:24 +0100

Here I am again :)

The only difference from [0] is that I fixed the NSS patch to shorten the line
longer than 79 chars like Kamil suggested. I also fixed some typos in the commit
messages.

Unfortunately I haven't had much time to look into the OpenSSL problem yet. For
those interested my current patch is at [1] (in the status_request_openssl
branch).

I'm including my original mail below, for context:

> I attached the patches that implement OCSP stapling for both GnuTLS and NSS
> backends, and the --cert-status option for curl. They also include documentation
> for both the libcurl and curl options.
>
> So, the GnuTLS and NSS backends are, AFAICT, fully functional. The failures I
> was seeing in the GnuTLS backend were caused by a bug in GnuTLS itself, which
> got fixed in the 3.3.11 release. You may still see failures due to a bug in
> libtasn1 (used by GnuTLS), which got fixed in the 4.2 release (for reference
> see [0] and [1]).
>
> As for the OpenSSL (which I left out for now) backend, I'm pretty sure OpenSSL's
> OCSP support is broken, since it requires the issuer certificate to be in the
> trust store (which basically means that e.g. an intermediate certificate needs
> to be in the store, even if it's itself signed by a CA certificate). Notably,
> this breaks pretty much all CloudFlare sites (or any sites that use intermediate
> certificates) unless those issuers are trusted with --capath/--cacert. I haven't
> looked into this yet, but I'll probably file a bug report at some point, and
> finish up the curl support if/when this gets fixed.
>
> Even without OpenSSL support (which can be added later on), I think this is
> ready to be merged. For testing, you can use the following websites that support
> OCSP stapling:
>
> https://yahoo.com
> https://mozilla.org
> https://tn123.org
> https://digitalocean.com (from CloudFlare)
> https://kuix.de:5148
> https://kuix.de:5149 (this got its certificate revoked, so the check must fail)
>
> [0] https://bugs.debian.org/772055
> [1] https://bugs.debian.org/759161

Cheers

[0] http://curl.haxx.se/mail/lib-2014-12/0107.html
[1] https://github.com/ghedo/curl/tree/status_request_openssl

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

text/x-diff attachment: 0001-url-add-CURLOPT_SSL_VERIFYSTATUS-option.patch

text/x-diff attachment: 0002-gtls-add-support-for-the-Certificate-Status-Request-.patch

text/x-diff attachment: 0003-nss-add-support-for-the-Certificate-Status-Request-T.patch

text/x-diff attachment: 0004-curl-add-cert-status-option.patch

application/pgp-signature attachment: Digital signature

Received on 2015-01-08

This message: [ Message body ]
Next message: Brad King: "Re: [PATCH] CMake // windows build fix"
Previous message: Daniel Stenberg: "[SECURITY ADVISORY] URL request injection"
Next in thread: Alessandro Ghedini: "Re: [PATCH v2] OCSP stapling for GnuTLS and NSS"
Reply: Alessandro Ghedini: "Re: [PATCH v2] OCSP stapling for GnuTLS and NSS"
Reply: Daniel Stenberg: "Re: [PATCH v2] OCSP stapling for GnuTLS and NSS"
Reply: Daniel Stenberg: "Re: [PATCH v2] OCSP stapling for GnuTLS and NSS"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]