Broken OCSP Stapling

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Broken OCSP Stapling

Jim Riggs-4
This was mentioned in today's Bulletproof TLS newsletter (https://www.feistyduck.com/bulletproof-tls-newsletter/issue_28_lets_encrypt_downtime.html):

https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html

It discusses httpd's (and nginx's) broken OCSP stapling implementations. This is outside of my wheelhouse, but wanted to raise awareness for someone familiar with that code who may be interested in taking a look. The post references bz57121 from 2014(!).

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Broken OCSP Stapling

Hanno Böck
Hi,

On Wed, 31 May 2017 07:45:23 -0500
Jim Riggs <[hidden email]> wrote:

> This was mentioned in today's Bulletproof TLS newsletter
> (https://www.feistyduck.com/bulletproof-tls-newsletter/issue_28_lets_encrypt_downtime.html):
>
> https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html

I'm the author of that post, thanks for bringing that up.

In the meantime I found that there are even more bugs in the apache bz
that are unhandled that sound quite concerning. This one
https://bz.apache.org/bugzilla/show_bug.cgi?id=59049
is imho a security vulnerability, yet it's been ignored for over a year.


Please note also that I had some conversations with the Linux
Foundation / Core Infrastructure Initiative about OCSP stapling and
hey indicated that they would consider to provide funding if there's an
effort to improve the situation.


--
Hanno Böck
https://hboeck.de/

mail/jabber: [hidden email]
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Broken OCSP Stapling

Stefan Eissing
Hanno,

did you receive any reply on this from a httpd dev? I am currently about to embark on a project in the OCSP neighbourhood, so I do not have 100% time available right now. But I would be sorry to leave such an opportunity for funded improvement of httpd go to waste...

If not, who would be a good contact at Linux Foundation / Core Infra to talk to?

Cheers,

Stefan

> Am 31.05.2017 um 16:13 schrieb Hanno Böck <[hidden email]>:
>
> Hi,
>
> On Wed, 31 May 2017 07:45:23 -0500
> Jim Riggs <[hidden email]> wrote:
>
>> This was mentioned in today's Bulletproof TLS newsletter
>> (https://www.feistyduck.com/bulletproof-tls-newsletter/issue_28_lets_encrypt_downtime.html):
>>
>> https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html
>
> I'm the author of that post, thanks for bringing that up.
>
> In the meantime I found that there are even more bugs in the apache bz
> that are unhandled that sound quite concerning. This one
> https://bz.apache.org/bugzilla/show_bug.cgi?id=59049
> is imho a security vulnerability, yet it's been ignored for over a year.
>
>
> Please note also that I had some conversations with the Linux
> Foundation / Core Infrastructure Initiative about OCSP stapling and
> hey indicated that they would consider to provide funding if there's an
> effort to improve the situation.
>
>
> --
> Hanno Böck
> https://hboeck.de/
>
> mail/jabber: [hidden email]
> GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Broken OCSP Stapling

Hanno Böck
On Tue, 6 Jun 2017 10:48:44 +0200
Stefan Eissing <[hidden email]> wrote:

> did you receive any reply on this from a httpd dev?

Unfortunately I haven't received any reply.

> If not, who would be a good contact at Linux Foundation / Core Infra
> to talk to?

I'll answer that in a private mail, don't want to give contact info on
a public mailing list.

--
Hanno Böck
https://hboeck.de/

mail/jabber: [hidden email]
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Loading...