httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <shen...@oss-institute.org>
Subject Re: mod_ssl OCSP tuning (Re: T&R of 2.3.10)
Date Mon, 17 Jan 2011 14:27:59 GMT
On 17/01/2011 13:39, Joe Orton wrote:
> On Sun, Jan 16, 2011 at 11:34:29AM +0100, Kaspar Brand wrote:
>> On 13.12.2010 15:24, Jim Jagielski wrote:
>>> At this late in the game, I would prefer to do this post-2.3.10...
>>> safer that way.
>>
>> Polite reminder, according to [1]... :-) I feel it's important because
>> it addresses PR 49784 and a few additional improvements for the OCSP
>> checking code (for client auth).
>>
>> Patch v2 from December is attached again, for the sake of easier reference.
> 
> Thanks a lot for the patch & the prod...
> 
> I've merged the config options changes with some minor tweaks (OpenSSL 
> seems to stomp on the OCSP_* namespace so I renamed the macros):
>  
>   http://svn.apache.org/viewvc?rev=1059917&view=rev
> 
> w.r.t. the change to skip OCSP validation for valid self-signed certs, I 
> brought this up a while back:
> 
> http://www.mail-archive.com/dev@httpd.apache.org/msg38849.html
> 
> and Stephen said it probably be configurable.  Has common practice 
> evolved here such that hard-coding the less strict behaviour is 
> reasonable?
> 

I still believe it should be configurable.

A root CA can be revoked for a number of reasons although key compromise has
security issues if the responder certificate is part of the chain (i.e. cases #1
and #2 in that message).

Apache OCSP AFAIK currently doesn't handle case #3 at all (trusting responders
with keys trusted by some out of band means).

There is a fix/enhancement for this (which also addresses the issue Steve
Marquess brought up) in PR46037.

Steve.
-- 
Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute: www.oss-institute.org
OpenSSL Core team: www.openssl.org

Mime
View raw message