Project

General

Profile

Actions

Feature #2469

closed

OCSP Stapling

Added by holler about 11 years ago. Updated over 3 years ago.

Status:
Fixed
Priority:
Normal
Category:
TLS
Target version:
ASK QUESTIONS IN Forums:
No

Description

OCSP stapling was defined in 2006 and allows a web server to retrieve a signed time-stamped message containing the status of its own certificate that is passed to its client. This saves the client the need to make a connection back to the issuing CA to check the status of the certificate. This has both performance and privacy benefits for the client.

This is supported by the following web-servers:

- Apache 2.3 and later
- NginX 1.3.7 and later
- IIS 7.0 and later

Nothing in my favorite Lighttpd yet? :(


Files


Related issues 1 (0 open1 closed)

Related to Feature #2278: client cert verification via OCSPWontfixActions
Actions #1

Updated by stbuehler over 10 years ago

  • Target version set to 1.4.x

Notes:

  • No API documentation found: SSL_set_tlsext_status_ocsp_resp == SSL_ctrl(SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP) ?
  • afaics this has to be set in a blocking callback, cache response
    • for files: refresh if needed and file got changed
    • probably won't support retrieving ocsp response over network
Actions #2

Updated by gstrauss almost 8 years ago

  • Category set to TLS
Actions #3

Updated by carpii over 7 years ago

Just adding that I would love to see this in lighty 1.4.x also

[Edit, although 1.4 sounds unlikely. This ticket is a dupe of #2278 ]

Actions #4

Updated by gstrauss over 7 years ago

  • Is duplicate of Feature #2278: client cert verification via OCSP added
Actions #5

Updated by gstrauss over 7 years ago

  • Status changed from New to Duplicate

Never say never. :) Adding this to lighttpd 1.4.x is on the table, but not being worked on at the moment.

Actions #6

Updated by gstrauss about 7 years ago

  • Is duplicate of deleted (Feature #2278: client cert verification via OCSP)
Actions #7

Updated by gstrauss about 7 years ago

  • Related to Feature #2278: client cert verification via OCSP added
Actions #8

Updated by gstrauss about 7 years ago

  • Status changed from Duplicate to Reopened

#2278 requests support for checking CRL/OCSP on certificates received from client.

This ticket requests that lighttpd send OCSP stapling info.

Actions #9

Updated by mxm almost 7 years ago

The Chromium team are pushing Certificate Transparency (CT) hard and have announced that CT will be required from Sep 2017.
OCSP stapling is one of easiest way to implement Signed Certificate Timestamp which is required in CT from the CA to the site operator.
I think now is the best time for the appearance OCSP stapling in Lighty after many years of waitng.

Actions #10

Updated by gstrauss almost 6 years ago

  • Priority changed from Low to Normal
Actions #11

Updated by gstrauss about 4 years ago

  • Status changed from Reopened to New
Actions #12

Updated by gstrauss almost 4 years ago

  • Status changed from New to Patch Pending
  • Target version changed from 1.4.x to 1.4.56
  • ASK QUESTIONS IN Forums set to No

Implemented in my dev branch. Would anyone like to help kick the tires?

Actions #13

Updated by gstrauss over 3 years ago

  • Status changed from Patch Pending to Fixed
Actions #14

Updated by maxentry over 3 years ago

I cannot find the support forum for lighttpd2 which I believe is the only one supporting OCSP stapling.
It looks like LetsEncrypt issues response for stapling every week (as per below This Update and Next update). Does this mean we have to redownload the OCSP response every week (can be done with a cron job, BUT ... ), and if so, is there a built-in way to extract the next update so as to ensure the cron job runs after that date? Also note that the Produced at date does not match the one in This update.
PS. I generate the OCSP response (as per below and image) on the 12th Aug 2020

Connecting to OCSP server: ocsp.int-x3.letsencrypt.org...
Resolving 'ocsp.int-x3.letsencrypt.org:80'...
Connecting to '151.5.18.16:80'...
OCSP Response Information:
Response Status: Successful
Response Type: Basic OCSP Response
Version: 1
Responder ID: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
Produced At: Tue Aug 11 18:39:00 UTC 2020
Responses:
Certificate ID:
Hash Algorithm: SHA1
Issuer Name Hash: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Issuer Key Hash: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Certificate Status: good
This Update: Tue Aug 11 18:00:00 UTC 2020
Next Update: Tue Aug 18 18:00:00 UTC 2020
Extensions:
Signature Algorithm: RSA-SHA256

Assuming response's signer = issuer (use --load-signer to override).
Verifying OCSP Response: Success.

Actions #15

Updated by stbuehler over 3 years ago

maxentry wrote in #note-14:

I cannot find the support forum for lighttpd2 which I believe is the only one supporting OCSP stapling.
It looks like LetsEncrypt issues response for stapling every week (as per below This Update and Next update). Does this mean we have to redownload the OCSP response every week (can be done with a cron job, BUT ... ), and if so, is there a built-in way to extract the next update so as to ensure the cron job runs after that date? Also note that the Produced at date does not match the one in This update.

oh boy. you could have just used the "lighttpd" support forum, but why the f... did you hijack the lighttpd 1.4 issue?

And yes, cron job, I run it once a day. lighttpd2 has a real good reload function, don't worry.
(Having that complex code in the actual webserver didn't feel right to me, also it's a lot easier to script this in shell than implement it in C.)

Actions #16

Updated by maxentry over 3 years ago

oh boy. you could have just used the "lighttpd" support forum, but why the f... did you hijack the lighttpd 1.4 issue?

I didn't use the lighttpd forum just in case I got a tongue lashing for using the wrong forum, but I got one anyway (c'est la vie!). I also did not believe I was hijacking an issue as this relates to OCSP stapling which this thread relates to (I tried getting the mod_openssl.c file from lighttpd2 into 1.4.55 source but it failed with to compile).

Anyhow, thanks for confirming the cron thingybob - will give this stapling a spin and will be sure to report back if I run into any issues (if that is ok)

Actions

Also available in: Atom