httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 43822] New: - OCSP stapling support for mod_ssl
Date Fri, 09 Nov 2007 13:37:03 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43822>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43822

           Summary: OCSP stapling support for mod_ssl
           Product: Apache httpd-2
           Version: 2.2.6
          Platform: All
        OS/Version: other
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: steve@openssl.org


This patch adds provisional OCSP stapling support to mod_ssl. 

OCSP stapling is a technique where instead of each client connecting to a
responder individually performing OCSP checks the server itself performs a
single check and sends the response to multiple clients using the certificate
status TLS extension.

The patch requires a recent OpenSSL 0.9.8 stable snapshot or the 0.9.9-dev
version. The first official release will be 0.9.8h.

If OpenSSL 0.9.8 is used then the compilation option "enable-tlsext" is also
required because TLS extension support is not compiled in by default in
OpenSSL 0.9.8.

The following configuration options are added:

SSLUseStapling: enable OCSP stapling, default off.

SSLStaplingResponseSkew: number of seconds tolerance when checking OCSP
responses to allow for differences in clock setting, default 5 minutes.

SSLStaplingMaxAge: number of seconds to keep an OSCP response overriding
any notAfter date present. This is to cover two cases. If notAfter is not
present according to standard updated information is immediately available,
this option indicates the time such a response should be considered valid.
In other cases responder responses have been know to have very long notAfter
dates weeks or months in the future even though new information is available
long before then. Default is to rely on notAfter time and not override.

SSLStaplingResponderTimeout: number of seconds to wait for a reply from
an OCSP responder. Default is 10 seconds.

SSLStaplingStandardCacheTimeout: number of seconds to cache valid responses,
default 60 minutes.

SSLStaplingErrorCacheTimeout: number of seconds to cache invalid responses,
default foo minutes.

SSLStaplingReturnResponderErrors: errors in the OCSP responder (status errors
and returning of expired OCSP responses) are sent back to the client when
this option is set, default on. When not set no OCSP response is sent back
to the client if an error is retrieved.

SSLStaplingFakeTryLater: if a connection cannot be established with the
responder or no response is received then this option will send the status
code "tryLater" back to the client.

SSLStaplingForceURL: for the responder URL to use. Normally the certificate
extensions indicate the responder URL to use, this option allows it to be
overridden. This can be useful in cases where an OCSP responder is behaving
as a proxy for example. Default is unset.

SSLStaplingMutex: mutex to use for stapling. Syntax is identical to SSLMutex
option.

Some notes on the implementation:

The caching is performed by storing the OCSP response in an SSL_SESSION
structure. This allows the standard caching mechanisms to be utilised and
reduces the number of changes required.

The caching of error responses is designed to be kind to the OCSP responder
by not repeatedly making requests when it is not returning valid responses.

The caching policy may need tweaking to handle practical cases.

A new mutex is required for OCSP stapling, this is to ensure that multiple
processes do not request an updated response simultaneoudly. The mutex code
has been generalized to allow the addition of new mutexes.

The OCSP query code uses OpenSSLs rather basic HTTP request mechanism. For
the OCSP patch it has been suggested that sub requests and mod_proxy would be
more efficient. However the request_rec structure is not available inside
mod_ssl at the time of the OCSP query... if this can be worked around then
suggestions are welcomed.

Timeouts on OCSP responses are implemented using a custom BIO which makes use
of APR socket I/O. If the OCSP patch is also used this code could be shared
between the two.

All comments welcomed.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message