trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Thompson <da...@oath.com>
Subject Re: Certificate Transparency / Expect-CT
Date Tue, 07 Nov 2017 21:45:12 GMT
A quick read through the 7.1.1 ATS code for OCSP handling, looks like we're
using the OpenSSL API to handle interaction with CA, and then passing the
response into our OpenSSL context for stapling in handshake.      So, I
believe the SCT is in the CA's response, though to ATS the response is an
unparsed, effectively opaque data buffer, it passes along to/from the
various OpenSSL API's.

Regarding Expect-CT header, perhaps header rewrite plugin might be a good
way to enable.

Dave Thompson

On Tue, Nov 7, 2017 at 8:58 AM, Jan Schaumann <jschauma@netmeister.org>
wrote:

> Hi,
>
> I'm looking for information about in how far ATS supports Certificate
> Transparency and the Expect-CT header.
>
> My understanding is that a web server can provide the Signed Certificate
> Timestamps (SCTs) -- if they are not embedded in the certificate via an
> x509 extension by the CA -- either via a TLS extension or via OCSP
> stapling.
>
> I know that ATS can enable OCSP stapling, but I don't know whether that
> requires additional settings to include the SCTs, nor do I know the
> status of using the TLS extension in ATS.
>
> Does anybody here know if this is available in ATS?
>
> Related to this: is there work to add a simple configuration setting to
> set the 'Expect-CT' header?  I'd think it'd make sense to have that be
> configurable similar to the way HSTS is enabled in ATS.
>
> Thanks in advance for any pointers on this,
> -Jan
>

Mime
View raw message