httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <>
Subject Re: mod_ssl OCSP tuning (Re: T&R of 2.3.10)
Date Wed, 19 Jan 2011 14:48:04 GMT
On 17.01.2011 15:27, Dr Stephen Henson wrote:
> On 17/01/2011 13:39, Joe Orton wrote:
>> w.r.t. the change to skip OCSP validation for valid self-signed certs, I 
>> brought this up a while back:
>> and Stephen said it probably be configurable.  Has common practice 
>> evolved here such that hard-coding the less strict behaviour is 
>> reasonable?

The only case where checking self-signed, self-issued certs really makes
sense is the one mentioned by Steve - when an OCSP responder with an
explicitly trusted public key is used (case #3 in Steve's mail, in RFC
2560 section 2.2 it's called "Trusted Responder"). Certainly not a
common configuration for "In_ter_net" deployments, but maybe of use for
corporate/In_tra_net environments.

> I still believe it should be configurable.
> A root CA can be revoked for a number of reasons although key compromise has
> security issues if the responder certificate is part of the chain (i.e. cases #1
> and #2 in that message).

Remember such a root cert (trust anchor) will previously have been
configured through SSLCACertificateFile/SSLCACertificatePath anyway, so
the only "advantage" of OCSP checks for these would actually be that it
amounts to some kind of "alerting" feature for the admin - making him
aware of invalid root certs in his trust store. Once realized, he would
then certainly be better off with completely removing these roots from
the httpd config.

> Apache OCSP AFAIK currently doesn't handle case #3 at all (trusting responders
> with keys trusted by some out of band means).
> There is a fix/enhancement for this (which also addresses the issue Steve
> Marquess brought up) in PR46037.

I don't mind adding support for trusted responders, but until that
happens, I consider hard-coding mod_ssl to skip OCSP checks for valid
self-signed certs a sensible choice. Even when support for trusted
responder is added, I don't think it needs to be configurable - it can
be enabled/disabled based on the existence of trusted responders in the
config (relying on the absence/presence of the OCSP_TRUSTOTHER verify
flag, effectively).

For convenience, I'm attaching the snippet which hasn't been committed yet.

Another small patch to mod_ssl, which I consider low-hanging fruit, is
attached to PR 48215


View raw message