Project

General

Profile

Feature #2278

OCSP support in lighttpd

Added by hgb over 6 years ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
TLS
Target version:
-
Start date:
2010-12-10
Due date:
% Done:

0%

Missing in 1.5.x:
No

Description

It would be useful for lighttpd to support CRLs and/or OCSP when doing client certificate verification. I haven't found anything indicating any support or work on it, so I've started a bit.

I'm attaching a patch against 1.4.28.

The patch has a couple of snags so far:
1) It isn't very well tested. It seems to work okay in the standard case, but whether it might leak memory, crash on some scenarios, etc, isn't entirely clear.
2) There's a 'ssl.ocsp.enforce' variable in there, but it isn't used at all.
3) We don't verify the ocsp response at all. This obviously has to be done, but it should be pretty simple.

Is this something that could be considered for merging?

ocsp.patch View (7.53 KB) hgb, 2010-12-10 15:15


Related issues

Related to Feature #2469: OCSP Stapling Reopened 2013-02-04

History

#1 Updated by stbuehler over 6 years ago

The code blocks until it gets the response, no way we would merge it.

And 1.4 is the "stable branch" - i do not really want to push more features i have to support later :)

#2 Updated by hgb over 6 years ago

stbuehler wrote:

The code blocks until it gets the response, no way we would merge it.

And 1.4 is the "stable branch" - i do not really want to push more features i have to support later :)

Ah, I know. Forgot to list that in the snags... It has to be made non-blocking, but that adds a fair amount of code, so I didn't do it for the first attempt.

What's the ETA on 1.5?

#3 Updated by stbuehler over 6 years ago

We are not working on 1.5 anymore.

#4 Updated by hgb over 6 years ago

Aha. So it would have to be a 2.0 effort, then?

#5 Updated by stbuehler over 6 years ago

Yes. Although it is not sure which ssl lib we are going to support - i plan to have a look at http://www.mozilla.org/projects/security/pki/nss/

#6 Updated by gstrauss 12 months ago

  • Category set to TLS

#7 Updated by gstrauss 7 months ago

#8 Updated by gstrauss 4 months ago

#9 Updated by gstrauss 4 months ago

Also available in: Atom