cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH v3] OCSP stapling for GnuTLS and NSS

From: Alessandro Ghedini <alessandro_at_ghedini.me>
Date: Mon, 19 Jan 2015 18:37:30 +0100

On ven, gen 16, 2015 at 11:27:24 +0100, Daniel Stenberg wrote:
> On Thu, 15 Jan 2015, Alessandro Ghedini wrote:
>
> >This new version returns an error when trying to set the
> >CURLOPT_SSL_VERIFYSTATUS option if the SSL backend doesn't support the
> >status_request extension. I also updated the CURLOPT_SSL_VERIFYSTATUS
> >manpage to reflect this.
>
> I merged your patches just now with some minor edits.

Nice, thanks!

> Now, let's get back to that OpenSSL version of the OCSP patch to see where
> we are with that and how to get it right!

So, I just rebased and updated the OpenSSL patch [0]. Of course the original
problem that openssl doesn't like non-trusted signer certificates (even if they
are validated by a certificate in the trust store) persists.

The work-around is to use a special flag OCSP_TRUSTOTHER which basically means
that we can pass additional certificates to the OCSP verify function which would
be considered as trusted. This means that no checks at all are performed on
those certificates. Unfortunately OCSP_TRUSTOTHER doesn't always work for some
weird OCSP responses (e.g. those from DigiCert/Cloudflare).

The proper solution would be to get openssl fixed of course (other projects such
as nginx seems to be affected by this as well) but that may take a lot of time.

Cheers

[0] https://github.com/ghedo/curl/commit/status_request

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

Received on 2015-01-19