httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <>
Subject Re: OCSP stapling in mod_ssl - use as OCSP cache for client authentication
Date Mon, 26 Oct 2009 00:53:46 GMT
Joe Orton wrote:
> I finally got round to finishing this off, holidays and similar excuses 
> now out of the way.  First of all: thanks a lot for the patch, and sorry 
> it took so long to merge!

Many thanks. I'm away from my test setup for a couple of days so can't test it
at present.

> I made a few changes relative to your latest patch:
> - minor syntax/style cleanups
> - renamed the new C file to ssl_util_stapling.c
> - updated the handling of "SSLStaplingCache" as per changes to 
>   "SSLSessionCache", to allow "SSLStaplingCache default" to DTRT
> - moved up the call to ssl_stapling_ex_init() so it took effect before 
>   the ex_data index was used
> and have two questions:
> 1) the use of an ex_data structure attached to the X509 * to store the 
> stapling-specific state seems unnecessary.  Was there a reason why you 
> did this rather than simply extending the modssl_pk_server_t structure? 
> (The ex_data indices have historically been a nightmare with mod_ssl due 
> to the fact that OpenSSL might get unloaded from memory during startup, 
> and any cached copies of the index values outside of OpenSSL may or may 
> not be reliable.  Global state == bad!)

Main reason is that I'm more used to how ex_data works ;-)

As long as the cached structure is associated with each server certificate in
some way that's fine.

> I've done basic testing using openssl s_client/ocsp as client/responder 
> such that I can see an OCSP response being passed through, but it didn't 
> seem to get cached correctly which I haven't looked into further (maybe 
> I broke that with my changes).

Will test it when I get back.

Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute:
OpenSSL Core team:

View raw message