Project

General

Profile

Feature #2278

client cert verification via OCSP

Added by hgb over 9 years ago. Updated 6 days ago.

Status:
Wontfix
Priority:
Low
Category:
TLS
Target version:
-
ASK QUESTIONS IN Forums:
No

Description

It would be useful for lighttpd to support CRLs and/or OCSP when doing client certificate verification. I haven't found anything indicating any support or work on it, so I've started a bit.

I'm attaching a patch against 1.4.28.

The patch has a couple of snags so far:
1) It isn't very well tested. It seems to work okay in the standard case, but whether it might leak memory, crash on some scenarios, etc, isn't entirely clear.
2) There's a 'ssl.ocsp.enforce' variable in there, but it isn't used at all.
3) We don't verify the ocsp response at all. This obviously has to be done, but it should be pretty simple.

Is this something that could be considered for merging?

Files

ocsp.patch (7.53 KB) ocsp.patch hgb, 2010-12-10 15:15

Related issues

Related to Feature #2469: OCSP StaplingNew2013-02-04Actions
#1

Updated by stbuehler over 9 years ago

The code blocks until it gets the response, no way we would merge it.

And 1.4 is the "stable branch" - i do not really want to push more features i have to support later :)

#2

Updated by hgb over 9 years ago

stbuehler wrote:

The code blocks until it gets the response, no way we would merge it.

And 1.4 is the "stable branch" - i do not really want to push more features i have to support later :)

Ah, I know. Forgot to list that in the snags... It has to be made non-blocking, but that adds a fair amount of code, so I didn't do it for the first attempt.

What's the ETA on 1.5?

#3

Updated by stbuehler over 9 years ago

We are not working on 1.5 anymore.

#4

Updated by hgb over 9 years ago

Aha. So it would have to be a 2.0 effort, then?

#5

Updated by stbuehler over 9 years ago

Yes. Although it is not sure which ssl lib we are going to support - i plan to have a look at http://www.mozilla.org/projects/security/pki/nss/

#6

Updated by gstrauss about 4 years ago

  • Category set to TLS
#7

Updated by gstrauss over 3 years ago

#8

Updated by gstrauss over 3 years ago

#9

Updated by gstrauss over 3 years ago

#11

Updated by gstrauss about 2 years ago

  • Priority changed from Normal to Low
#12

Updated by gstrauss 6 days ago

  • Subject changed from OCSP support in lighttpd to client cert verification via OCSP
  • Status changed from New to Wontfix
  • ASK QUESTIONS IN Forums set to No

Support for CRLs for client certificate verification was added in lighttpd 1.4.46 in #2319
https://redmine.lighttpd.net/issues/2319
https://github.com/lighttpd/lighttpd1.4/pull/82

The original request in the Description of this issue asked for CRLs and/or OCSP. Since CRLs were implemented in lighttpd 1.4.46 back in 2017, a solution has been provided.

.

The issue summary was renamed a long time ago to request OCSP support for client certification verification, as that had not been implemented.

Please see https://www.imperialviolet.org/2014/04/19/revchecking.html for discussion around revocation checking by clients. Some of the ideas also apply to server performing client certificate verification.

There would be little gain reaped, but substantial work needed on lighttpd to support asynchronous certificate verification via OCSP, and support for CRLs has been available in lighttpd for some time.

Please use CRLs (ssl.ca-crl-file) to mark client certificates as revoked if you must do so before the client certificate expires.

Also available in: Atom