httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <shen...@oss-institute.org>
Subject Re: mod_ssl OCSP questions
Date Fri, 30 Nov 2007 12:25:42 GMT
Marc Stern wrote:
> 
>>> c) Steve mentioned some responders don't accept requests with
>>> nonces.  What is a sane default?  Send nonces (more secure), or not
>>> (better interop).  From reading the RFC it looks like mod_ssl should
>>> also be checking the validity times from the OCSP response, which
>>> would help, I guess
>> I'll check how we are using the API. There are some OCSP helper
>> functions in OpenSSL which check the appropriate times and allow a
>> configurable "skew" for cases where clocks are inaccurately set. How
>> much skew to allow in practice may again depend on local policy.
>>   
> I agree.
> If using a nonce, there is no need to check the date. If not, you have
> to specify the time delta to accept
> 

Although a nonce supporting responder avoids replay attacks I'd say we
always need to check the date in case a responder fault result in it
producing status information with an invalid date.

I've seen real world examples where stale information was being returned
by a responder.

Steve.
-- 
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.

Mime
View raw message