httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Eissing <stefan.eiss...@greenbytes.de>
Subject Re: Broken OCSP Stapling
Date Tue, 06 Jun 2017 08:48:44 GMT
Hanno,

did you receive any reply on this from a httpd dev? I am currently about to embark on a project
in the OCSP neighbourhood, so I do not have 100% time available right now. But I would be
sorry to leave such an opportunity for funded improvement of httpd go to waste...

If not, who would be a good contact at Linux Foundation / Core Infra to talk to?

Cheers,

Stefan

> Am 31.05.2017 um 16:13 schrieb Hanno Böck <hanno@hboeck.de>:
> 
> Hi,
> 
> On Wed, 31 May 2017 07:45:23 -0500
> Jim Riggs <apache-lists@riggs.me> wrote:
> 
>> This was mentioned in today's Bulletproof TLS newsletter
>> (https://www.feistyduck.com/bulletproof-tls-newsletter/issue_28_lets_encrypt_downtime.html):
>> 
>> https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html
> 
> I'm the author of that post, thanks for bringing that up.
> 
> In the meantime I found that there are even more bugs in the apache bz
> that are unhandled that sound quite concerning. This one
> https://bz.apache.org/bugzilla/show_bug.cgi?id=59049
> is imho a security vulnerability, yet it's been ignored for over a year.
> 
> 
> Please note also that I had some conversations with the Linux
> Foundation / Core Infrastructure Initiative about OCSP stapling and
> hey indicated that they would consider to provide funding if there's an
> effort to improve the situation.
> 
> 
> -- 
> Hanno Böck
> https://hboeck.de/
> 
> mail/jabber: hanno@hboeck.de
> GPG: FE73757FA60E4E21B937579FA5880072BBB51E42


Mime
View raw message