httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Natanael Mignon - michael-wessel.de ...@michael-wessel.de>
Subject AW: OCSP stapling in mod_ssl - use as OCSP cache for client authentication
Date Tue, 22 Sep 2009 10:10:21 GMT
After some time off (off this topic, at least), I am now trying to work my way through the
stapling code and the mechanisms of caching in mod_ssl. Phew... I had expected this to be
a little more straight forward even for a non-C-guru like me. *sigh* ;)

My favourite place to have the OCSP caching done is in ssl_engine_ocsp.c -> verify_ocsp_status(),
right where an OCSP request would be created:

static int verify_ocsp_status(...)
{
[...]
 /* Query response cache HERE */
 ruri = determine_responder_uri(sc, cert, c, pool);
 if (!ruri) {
        return V_OCSP_CERTSTATUS_UNKNOWN;
     }
 request = create_request(ctx, cert, &certID, s, pool);
[...]

The idea, inspired by your stapling code, Steve, is:

- Use SHA1 hash of cert (X509_digest(cert, EVP_sha1(), idx, NULL)) as key for the cache.
- Query cache for entry of idx above
-_ only create and dispatch new request, if no or invalid entry
- store/update response after (new) request has been dispatched and response has been received
- validate response (either received from cache or from connection to responder) --> this
code is present, of course, and has been further customized already.

Is there a possibility to *not* customize a bunch of files like ssl_private.h, ssl_scache.c,
ssl_engine_init.c and so on, but have all necessary handling placed here in ssl_engine_ocsp.c
(and maybe ssl_util_ocsp.c), without messing up?

Of course, I see the pros of a generic approach, but this is definitely only for internal
OCSP caching nothing to be communicated outside of this place.

On a more detailed level, it is the caching mechanisms that trouble me. What needs to be done
to execute caching operations?

- Define and initialize a cache - similar to SSL session cache. The actual SSL session cache
functions and structures cannot be used for this, just with a different storage (file)?
- Define and initialize a mutex for access to this additional cache...

So, I am lacking the right way to start this up, aims being at first a quick implementation
and continued refactoring to a really well done solution afterwards. :-/

Mit freundlichen Grüßen / Kind regards
 Natanael Mignon
________________________________________
Von: Dr Stephen Henson [shenson@oss-institute.org]
Gesendet: Freitag, 11. September 2009 11:45
An: dev@httpd.apache.org
Betreff: Re: OCSP stapling in mod_ssl - use as OCSP cache for client authentication

What I think you are trying to do is to include a cache for OCSP queries the
proxy itself makes which is IMHO the best solution. So instead of always
consulting the OCSP responder it instead checks the cache to see if there is a
valid OCSP response in there, if it is expired or invalid then and only then
would it renew the response by making an actual query. Doing things that way
doesn't need OCSP stapling support in the server(s).

If that's correct then you could reuse some of the OCSP response query and
caching code in the stapling patch. It implements similar functionality.


Mime
View raw message