cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH v2] OCSP stapling for GnuTLS and NSS

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Wed, 14 Jan 2015 11:41:28 +0100

On Wednesday 14 January 2015 10:37:35 Alessandro Ghedini wrote:
> On Thu, Jan 08, 2015 at 12:08:24PM +0100, Alessandro Ghedini wrote:
> > Here I am again :)
> >
> > The only difference from [0] is that I fixed the NSS patch to shorten the
> > line longer than 79 chars like Kamil suggested. I also fixed some typos
> > in the commit messages.
> >
> > Unfortunately I haven't had much time to look into the OpenSSL problem
> > yet. For those interested my current patch is at [1] (in the
> > status_request_openssl branch).
> >
> > I'm including my original mail below, for context:
> > > I attached the patches that implement OCSP stapling for both GnuTLS and
> > > NSS
> > > backends, and the --cert-status option for curl. They also include
> > > documentation for both the libcurl and curl options.
> > >
> > > So, the GnuTLS and NSS backends are, AFAICT, fully functional. The
> > > failures I was seeing in the GnuTLS backend were caused by a bug in
> > > GnuTLS itself, which got fixed in the 3.3.11 release. You may still see
> > > failures due to a bug in libtasn1 (used by GnuTLS), which got fixed in
> > > the 4.2 release (for reference see [0] and [1]).
> > >
> > > As for the OpenSSL (which I left out for now) backend, I'm pretty sure
> > > OpenSSL's OCSP support is broken, since it requires the issuer
> > > certificate to be in the trust store (which basically means that e.g.
> > > an intermediate certificate needs to be in the store, even if it's
> > > itself signed by a CA certificate). Notably, this breaks pretty much
> > > all CloudFlare sites (or any sites that use intermediate certificates)
> > > unless those issuers are trusted with --capath/--cacert. I haven't
> > > looked into this yet, but I'll probably file a bug report at some
> > > point, and finish up the curl support if/when this gets fixed.
> > >
> > > Even without OpenSSL support (which can be added later on), I think this
> > > is
> > > ready to be merged. For testing, you can use the following websites that
> > > support OCSP stapling:
> > >
> > > https://yahoo.com
> > > https://mozilla.org
> > > https://tn123.org
> > > https://digitalocean.com (from CloudFlare)
> > > https://kuix.de:5148
> > > https://kuix.de:5149 (this got its certificate revoked, so the check
> > > must fail)
> > >
> > > [0] https://bugs.debian.org/772055
> > > [1] https://bugs.debian.org/759161
> >
> > Cheers
> >
> > [0] http://curl.haxx.se/mail/lib-2014-12/0107.html
> > [1] https://github.com/ghedo/curl/tree/status_request_openssl
>
> Ping?
>
> Cheers

+1 from me for the nss part, did not check the gtls one.

Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-01-14