httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject [PATCH] mod_ssl APIs to allow implementation of Certificate Transparency as a separate mod
Date Sat, 12 Apr 2014 13:00:08 GMT
http://people.apache.org/~trawick/httpd-ct.patch

Here is the documentation for the new hooks, annotated with an idea of what
mod_ssl_ct does with them:

/**
 * init_server hook -- allow SSL_CTX-specific initialization to be
performed by
 * a module for each SSL-enabled server (one at a time)
 * @param s SSL-enabled [virtual] server
 * @param p pconf pool
 * @param is_proxy 1 if this server supports backend connections
 * over SSL/TLS, 0 if it supports client connections over SSL/TLS
 * @param ctx OpenSSL SSL Context for the server
 */
APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, init_server,
                          (server_rec *s, apr_pool_t *p, int is_proxy,
SSL_CTX *ctx))

mod_ssl_ct:

For an SSL-enabled proxy backend, we need to set up TLS extension handling
to
ask for an SCT list in ClientHello and grab it from ServerHello.  This
requires the SSL_CTX.  (And similar for OCSP).

For an SSL-enabled server, we do the opposite (see if the client cares from
ClientHello,
provide it in ServerHello).  Additionally, we take this opportunity to
query the SSL_CTX
for all the server certificates, for which we should be able to send SCTs.


/**
 * pre_handshake hook
 * @param c conn_rec for new connection from client or to backend server
 * @param ssl OpenSSL SSL Connection for the client or backend server
 */
APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, pre_handshake,
                          (conn_rec *c, SSL *ssl))

mod_ssl_ct:

Ask for the OCSP status extension to be sent.

Set TLS extension "debug" callbacks to find out if the peer is CT-aware when
resuming a session.  (Not critical)

/**
 * proxy_post_handshake hook -- allow module to abort after successful
 * handshake with backend server and subsequent peer checks
 * @param c conn_rec for connection to backend server
 * @param ssl OpenSSL SSL Connection for the client or backend server
 */
APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, proxy_post_handshake,
                          (conn_rec *c, SSL *ssl))

mod_ssl_ct:

Look at the server certificate for a SCT list (in a certificate extension).

This is also the point at which we've had the chance to potentially find
SCTs in ServerHello, cert extension, and/or stapled OCSP response, so we
proceed by checking the signature and
time in each SCT and, assuming all okay, queue it for further analysis
offline.  If nothing
valid has been seen, depending on the configuration we may return an error
from the
hook, which will cause mod_ssl to abort.

--/--

I've been developing mod_ssl_ct here thus far but intend for this to be
part of the httpd distribution:

https://github.com/trawick/ct-httpd/tree/master/src/proto1

--/--

On the issue of mod_ssl APIs:


mod_ssl.h currently has nothing specific to OpenSSL, which has not been
necessary so far, and which is useful because other SSL/TLS providers also
implement the limited APIs that are described there.

Maybe trunk should define those provider-independent interfaces in
<TOP>/include/httpd.h or similar, since it is recommended (in practice if
not officially) that other SSL/TLS providers implement them on behalf of
mod_proxy and modules that look up variables.

Maybe these hooks that pass around OpenSSL structures should be private
anyway (mod_ssl_private.h), as it could be difficult to debug issues with
other modules that feel free to operate on the OpenSSL structures.

It was suggested that the toolkit features needed by mod_ssl_ct (handle TLS
and OCSP extensions, look at certificates, whatever else) be defined by
mod_ssl as generic APIs which could be implemented by other SSL/TLS
providers, probably on top of other toolkits.  Scott Deboy's patch for TLS
extensions went a long way towards that.  IMO somebody that actually cares
about that needs to invest in the considerable work, which would include
actually implementing it for another toolkit and making sure that it is
doable.

So...  Concerns?  Suggestions?  Etc.?  Speak up, or forever* ask me to fix
it after committing ;)  (*Let's not be ridiculous though)

Thanks!

-- 
Born in Roswell... married an alien...
http://emptyhammock.com/
http://edjective.org/

Mime
View raw message