OCSP support in lighttpd
It would be useful for lighttpd to support CRLs and/or OCSP when doing client certificate verification. I haven't found anything indicating any support or work on it, so I've started a bit.
I'm attaching a patch against 1.4.28.
The patch has a couple of snags so far:
1) It isn't very well tested. It seems to work okay in the standard case, but whether it might leak memory, crash on some scenarios, etc, isn't entirely clear.
2) There's a 'ssl.ocsp.enforce' variable in there, but it isn't used at all.
3) We don't verify the ocsp response at all. This obviously has to be done, but it should be pretty simple.
Is this something that could be considered for merging?
Updated by hgb over 7 years ago
The code blocks until it gets the response, no way we would merge it.
And 1.4 is the "stable branch" - i do not really want to push more features i have to support later :)
Ah, I know. Forgot to list that in the snags... It has to be made non-blocking, but that adds a fair amount of code, so I didn't do it for the first attempt.
What's the ETA on 1.5?
Also available in: Atom