Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 37105 invoked from network); 29 Nov 2007 20:35:51 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 29 Nov 2007 20:35:51 -0000 Received: (qmail 98861 invoked by uid 500); 29 Nov 2007 20:35:37 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 98783 invoked by uid 500); 29 Nov 2007 20:35:37 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 98756 invoked by uid 99); 29 Nov 2007 20:35:35 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 29 Nov 2007 12:35:35 -0800 X-ASF-Spam-Status: No, hits=-4.0 required=10.0 tests=RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of jorton@redhat.com designates 66.187.233.31 as permitted sender) Received: from [66.187.233.31] (HELO mx1.redhat.com) (66.187.233.31) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 29 Nov 2007 20:35:14 +0000 Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.13.8/8.13.1) with ESMTP id lATKZCC5016507; Thu, 29 Nov 2007 15:35:13 -0500 Received: from turnip.manyfish.co.uk (IDENT:U2FsdGVkX18OwrMXSmXrWGJLWN+U0TTzHa2m2h39Z6U@vpn-14-229.rdu.redhat.com [10.11.14.229]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id lATKZBTN018897; Thu, 29 Nov 2007 15:35:12 -0500 Received: from jorton by turnip.manyfish.co.uk with local (Exim 4.68) (envelope-from ) id 1Ixq6J-00064L-5L; Thu, 29 Nov 2007 20:35:11 +0000 Date: Thu, 29 Nov 2007 20:35:11 +0000 From: Joe Orton To: dev@httpd.apache.org Cc: marc.stern@approach.be, steve@openssl.org Subject: mod_ssl OCSP questions Message-ID: <20071129203511.GA15121@redhat.com> Mail-Followup-To: dev@httpd.apache.org, marc.stern@approach.be, steve@openssl.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline User-Agent: Mutt/1.5.17 (2007-11-01) Organization: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in UK and Wales under Company Registration No. 03798903 Directors: Michael Cunningham (USA), Brendan Lane (Ireland), Matt Parson (USA), Charlie Peters (USA) X-Virus-Checked: Checked by ClamAV on apache.org Taking this discussion out of bugzilla. As implemented currently the OCSP validation is working like this: 1) trusted store T initialized with root certs configured via SSLCA* 2) foreach cert in chain from (root...client certificate): a) verify cert is signed by trusted cert (or, is transitively so) b) if so, perform OCSP validation on cert as follows: i) pick a responder, exchange OCSP messages ii) verify signature of OCSP response against certs in trusted store T I'm not familiar with how OCSP is typically deployed; my questions are: a) is it acceptable to assume that the same set of trusted certs is used to verify the signature of the OCSP response as is used to verify the client cert itself? Or do these need to be separately configurable? b) does it really make sense to be doing OCSP validation individually on each cert in the peer's cert chain? Marc mentioned an issue with a compromised intermediary cert; but I want to be sure I understand this properly. Can someone explain the exact threat model which checking the whole chain would be necessary for? c) Steve mentioned some responders don't accept requests with nonces. What is a sane default? Send nonces (more secure), or not (better interop). From reading the RFC it looks like mod_ssl should also be checking the validity times from the OCSP response, which would help, I guess. Regards, joe