curl-library
Re: [PATCH] OCSP stapling for GnuTLS and NSS
Date: Mon, 15 Dec 2014 13:18 +0100
On Friday 12 December 2014 14:58:15 Alessandro Ghedini wrote:
> Or, yet another attempt at starting a discussion on this... :/
>
> (I kinda lost track of the feature freeze date, if any has been decided for
> this release cycle, so apologies if this comes at the wrong moment).
>
> I attached the patches that implement OCSP stapling for both GnuTLS and NSS
> backends, and the --cert-status option for curl. They also include
> documentation for both the libcurl and curl options.
>
> So, the GnuTLS and NSS backends are, AFAICT, fully functional. The failures
> I was seeing in the GnuTLS backend were caused by a bug in GnuTLS itself,
> which got fixed in the 3.3.11 release. You may still see failures due to a
> bug in libtasn1 (used by GnuTLS), which got fixed in the 4.2 release (for
> reference see [0] and [1]).
I have just checked your patches using the NSS backend and they look great.
Thank you for working on this!
As a minor comment, one of the patches adds a line longer than 79 chars to
nss.c, which breaks the build if configured with --enable-debug.
> As for the OpenSSL (which I left out for now) backend, I'm pretty sure
> OpenSSL's OCSP support is broken, since it requires the issuer certificate
> to be in the trust store (which basically means that e.g. an intermediate
> certificate needs to be in the store, even if it's itself signed by a CA
> certificate). Notably, this breaks pretty much all CloudFlare sites (or any
> sites that use intermediate certificates) unless those issuers are trusted
> with --capath/--cacert. I haven't looked into this yet, but I'll probably
> file a bug report at some point, and finish up the curl support if/when
> this gets fixed.
>
> Even without OpenSSL support (which can be added later on), I think this is
> ready to be merged. For testing, you can use the following websites that
> support OCSP stapling:
>
> https://yahoo.com
> https://mozilla.org
> https://tn123.org
> https://digitalocean.com (from CloudFlare)
> https://kuix.de:5148
> https://kuix.de:5149 (this got its certificate revoked, so the check must
> fail)
>
> I've kept the patches separate to ease development and review, but I can
> merge them if needed.
I would prefer to keep them separated.
Kamil
> Cheers
>
> [0] https://bugs.debian.org/772055
> [1] https://bugs.debian.org/759161
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-12-15