httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: OCSP stapling in mod_ssl - use as OCSP cache for client authentication
Date Sun, 25 Oct 2009 20:07:21 GMT
On Wed, Sep 16, 2009 at 01:45:30PM +0100, Joe Orton wrote:
> On Wed, Sep 16, 2009 at 01:38:50PM +0100, Dr Stephen Henson wrote:
> > I may have missed something here but the OCSP stapling code doesn't appear to be
> > in trunk. The patch in:
> > 
> > https://issues.apache.org/bugzilla/show_bug.cgi?id=43822
> > 
> > doesn't apply cleanly any more, though the changes needed to get it working are
> > fairly trivial. I'm in the process of including an updated patch.
> 
> I'm working on merging this right now, your patch did apply fine, I've 
> committed the one part separately which you alude to below.

I finally got round to finishing this off, holidays and similar excuses 
now out of the way.  First of all: thanks a lot for the patch, and sorry 
it took so long to merge!

I made a few changes relative to your latest patch:

- minor syntax/style cleanups
- renamed the new C file to ssl_util_stapling.c
- updated the handling of "SSLStaplingCache" as per changes to 
  "SSLSessionCache", to allow "SSLStaplingCache default" to DTRT
- moved up the call to ssl_stapling_ex_init() so it took effect before 
  the ex_data index was used

and have two questions:

1) the use of an ex_data structure attached to the X509 * to store the 
stapling-specific state seems unnecessary.  Was there a reason why you 
did this rather than simply extending the modssl_pk_server_t structure? 
(The ex_data indices have historically been a nightmare with mod_ssl due 
to the fact that OpenSSL might get unloaded from memory during startup, 
and any cached copies of the index values outside of OpenSSL may or may 
not be reliable.  Global state == bad!)

2) the error case where there's no SSLStaplingForceURL configured and no 
responder specified in the cert - this is currently logged but no more.  
I'm wondering whether this should be an ssl_abort(); if someone enables 
stapling for a vhost but there is no responder known, it seems like that 
should be a config error?

I've done basic testing using openssl s_client/ocsp as client/responder 
such that I can see an OCSP response being passed through, but it didn't 
seem to get cached correctly which I haven't looked into further (maybe 
I broke that with my changes).

Regards, Joe

Mime
View raw message