Feature #2278
OCSP support in lighttpd
0%
Description
It would be useful for lighttpd to support CRLs and/or OCSP when doing client certificate verification. I haven't found anything indicating any support or work on it, so I've started a bit.
I'm attaching a patch against 1.4.28.
The patch has a couple of snags so far:
1) It isn't very well tested. It seems to work okay in the standard case, but whether it might leak memory, crash on some scenarios, etc, isn't entirely clear.
2) There's a 'ssl.ocsp.enforce' variable in there, but it isn't used at all.
3) We don't verify the ocsp response at all. This obviously has to be done, but it should be pretty simple.
Is this something that could be considered for merging?
Related issues
History
Updated by stbuehler over 8 years ago
The code blocks until it gets the response, no way we would merge it.
And 1.4 is the "stable branch" - i do not really want to push more features i have to support later :)
Updated by hgb over 8 years ago
stbuehler wrote:
The code blocks until it gets the response, no way we would merge it.
And 1.4 is the "stable branch" - i do not really want to push more features i have to support later :)
Ah, I know. Forgot to list that in the snags... It has to be made non-blocking, but that adds a fair amount of code, so I didn't do it for the first attempt.
What's the ETA on 1.5?
Updated by stbuehler over 8 years ago
Yes. Although it is not sure which ssl lib we are going to support - i plan to have a look at http://www.mozilla.org/projects/security/pki/nss/
Also available in: Atom