cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH v2] OCSP stapling for GnuTLS and NSS

From: Alessandro Ghedini <alessandro_at_ghedini.me>
Date: Wed, 14 Jan 2015 10:37:35 +0100

On Thu, Jan 08, 2015 at 12:08:24PM +0100, Alessandro Ghedini wrote:
> Here I am again :)
>
> The only difference from [0] is that I fixed the NSS patch to shorten the line
> longer than 79 chars like Kamil suggested. I also fixed some typos in the commit
> messages.
>
> Unfortunately I haven't had much time to look into the OpenSSL problem yet. For
> those interested my current patch is at [1] (in the status_request_openssl
> branch).
>
> I'm including my original mail below, for context:
>
> > I attached the patches that implement OCSP stapling for both GnuTLS and NSS
> > backends, and the --cert-status option for curl. They also include documentation
> > for both the libcurl and curl options.
> >
> > So, the GnuTLS and NSS backends are, AFAICT, fully functional. The failures I
> > was seeing in the GnuTLS backend were caused by a bug in GnuTLS itself, which
> > got fixed in the 3.3.11 release. You may still see failures due to a bug in
> > libtasn1 (used by GnuTLS), which got fixed in the 4.2 release (for reference
> > see [0] and [1]).
> >
> > As for the OpenSSL (which I left out for now) backend, I'm pretty sure OpenSSL's
> > OCSP support is broken, since it requires the issuer certificate to be in the
> > trust store (which basically means that e.g. an intermediate certificate needs
> > to be in the store, even if it's itself signed by a CA certificate). Notably,
> > this breaks pretty much all CloudFlare sites (or any sites that use intermediate
> > certificates) unless those issuers are trusted with --capath/--cacert. I haven't
> > looked into this yet, but I'll probably file a bug report at some point, and
> > finish up the curl support if/when this gets fixed.
> >
> > Even without OpenSSL support (which can be added later on), I think this is
> > ready to be merged. For testing, you can use the following websites that support
> > OCSP stapling:
> >
> > https://yahoo.com
> > https://mozilla.org
> > https://tn123.org
> > https://digitalocean.com (from CloudFlare)
> > https://kuix.de:5148
> > https://kuix.de:5149 (this got its certificate revoked, so the check must fail)
> >
> > [0] https://bugs.debian.org/772055
> > [1] https://bugs.debian.org/759161
>
> Cheers
>
> [0] http://curl.haxx.se/mail/lib-2014-12/0107.html
> [1] https://github.com/ghedo/curl/tree/status_request_openssl

Ping?

Cheers

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

Received on 2015-01-14