client cert verification via OCSP
It would be useful for lighttpd to support CRLs and/or OCSP when doing client certificate verification. I haven't found anything indicating any support or work on it, so I've started a bit.
I'm attaching a patch against 1.4.28.
The patch has a couple of snags so far:
1) It isn't very well tested. It seems to work okay in the standard case, but whether it might leak memory, crash on some scenarios, etc, isn't entirely clear.
2) There's a 'ssl.ocsp.enforce' variable in there, but it isn't used at all.
3) We don't verify the ocsp response at all. This obviously has to be done, but it should be pretty simple.
Is this something that could be considered for merging?
Updated by hgb over 9 years ago
The code blocks until it gets the response, no way we would merge it.
And 1.4 is the "stable branch" - i do not really want to push more features i have to support later :)
Ah, I know. Forgot to list that in the snags... It has to be made non-blocking, but that adds a fair amount of code, so I didn't do it for the first attempt.
What's the ETA on 1.5?
- Subject changed from OCSP support in lighttpd to client cert verification via OCSP
- Status changed from New to Wontfix
- ASK QUESTIONS IN Forums set to No
The original request in the Description of this issue asked for CRLs and/or OCSP. Since CRLs were implemented in lighttpd 1.4.46 back in 2017, a solution has been provided.
The issue summary was renamed a long time ago to request OCSP support for client certification verification, as that had not been implemented.
Please see https://www.imperialviolet.org/2014/04/19/revchecking.html for discussion around revocation checking by clients. Some of the ideas also apply to server performing client certificate verification.
There would be little gain reaped, but substantial work needed on lighttpd to support asynchronous certificate verification via OCSP, and support for CRLs has been available in lighttpd for some time.
Please use CRLs (
ssl.ca-crl-file) to mark client certificates as revoked if you must do so before the client certificate expires.
Also available in: Atom