cURL / Mailing Lists / curl-library / Single Mail

curl-library

[PATCH] OCSP stapling for GnuTLS and NSS

From: Alessandro Ghedini <alessandro_at_ghedini.me>
Date: Fri, 12 Dec 2014 14:58:15 +0100

Or, yet another attempt at starting a discussion on this... :/

(I kinda lost track of the feature freeze date, if any has been decided for
this release cycle, so apologies if this comes at the wrong moment).

I attached the patches that implement OCSP stapling for both GnuTLS and NSS
backends, and the --cert-status option for curl. They also include documentation
for both the libcurl and curl options.

So, the GnuTLS and NSS backends are, AFAICT, fully functional. The failures I
was seeing in the GnuTLS backend were caused by a bug in GnuTLS itself, which
got fixed in the 3.3.11 release. You may still see failures due to a bug in
libtasn1 (used by GnuTLS), which got fixed in the 4.2 release (for reference
see [0] and [1]).

As for the OpenSSL (which I left out for now) backend, I'm pretty sure OpenSSL's
OCSP support is broken, since it requires the issuer certificate to be in the
trust store (which basically means that e.g. an intermediate certificate needs
to be in the store, even if it's itself signed by a CA certificate). Notably,
this breaks pretty much all CloudFlare sites (or any sites that use intermediate
certificates) unless those issuers are trusted with --capath/--cacert. I haven't
looked into this yet, but I'll probably file a bug report at some point, and
finish up the curl support if/when this gets fixed.

Even without OpenSSL support (which can be added later on), I think this is
ready to be merged. For testing, you can use the following websites that support
OCSP stapling:

https://yahoo.com
https://mozilla.org
https://tn123.org
https://digitalocean.com (from CloudFlare)
https://kuix.de:5148
https://kuix.de:5149 (this got its certificate revoked, so the check must fail)

I've kept the patches separate to ease development and review, but I can merge
them if needed.

Cheers

[0] https://bugs.debian.org/772055
[1] https://bugs.debian.org/759161

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

text/x-diff attachment: 0001-url-add-CURLOPT_SSL_VERIFYSTATUS-option.patch

text/x-diff attachment: 0002-gtls-add-support-for-the-Certificate-Status-Request-.patch

text/x-diff attachment: 0003-nss-add-support-for-the-Certificate-Status-Request-T.patch

text/x-diff attachment: 0004-curl-add-cert-status-option.patch

application/pgp-signature attachment: Digital signature

Received on 2014-12-12

This message: [ Message body ]
Next message: Patrick Monnerat: "RE: SF bug 1456 and associated commits"
Previous message: Steve Holme: "RE: SF bug 1456 and associated commits"
Next in thread: Daniel Stenberg: "Re: [PATCH] OCSP stapling for GnuTLS and NSS"
Reply: Daniel Stenberg: "Re: [PATCH] OCSP stapling for GnuTLS and NSS"
Reply: Kamil Dudka: "Re: [PATCH] OCSP stapling for GnuTLS and NSS"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]