You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Stefan Eissing <st...@greenbytes.de> on 2019/06/24 15:12:40 UTC

mod_mdv2: stapling

I am looking for feedback and harsh critics from this excellent group of people here.
If you see mistakes or have ideas on improving, I'd appreciate it.

Cheers,

Stefan


The new OCSP stapling implementation in mod_md will:

- be for server certificates in virtual hosts
- co-exist with existing mod_ssl ocsp stapling
- be watchdog driven, file system persisted

Features of mod_ssl stapling I do not plan to implement:

- SSLStaplingFakeTryLater: 
  either we have a response or not. if not, nothing is set in the response. On must-staple, clients will fail.
- SSLStaplingForceURL: 
  think I do not need it for the test setup.
- SSLStaplingResponseMaxAge: 
  there will be a "renew window" instead. So watchdog will get a new response x amount of time before the existing expires
- SSLStaplingResponseTimeSkew: 
  I see no need.
- SSLStaplingReturnResponderErrors: 
  error from OCSP responders are detected by the watchdog and logged. Clients only see valid stapling or no stapling.

Maybe I am missing a use case here. If you are aware of one (e.g. need for time skew), please let me know.


General interworking mod_ssl <-> mod_md: 2 new optional functions:

  apr_status_t md_stapling_init_cert(server_rec *s, X509 *cert, ...)
  apr_status_t md_stapling_get_response(md_oscp_response **prsp, server_rec *s, X509 *cert, conn_rec *c...)

Via "MDStapling on|off", the admin can control the new stapling for all or just a particular MD.
Via "MDStapling all", the new stapling would apply to all certificates, even those not covered by an MD.

md_stapling_init_cert(...) will return:
  APR_SUCCESS, when mod_md takes over stapling of this server_rec
  APR_ENOTIMPL, when it does not and mod_ssl shall continue as it does now
  otherwise, a real error happened.

md_stapling_get_response(...) will return:
  APR_SUCCESS with a valid response
  APR_ENOENT if no valid response is available
  APR_ENOTIMPL if mod_md does not provide stapling for this server/cert
  otherwise, a real error happened.

Re: mod_mdv2: stapling

Posted by Stefan Eissing <st...@greenbytes.de>.
Please have a look in trunk if the current implenentation is what you had in mind.

Cheers, Stefan

> Am 24.06.2019 um 17:39 schrieb Graham Leggett <mi...@sharp.fm>:
> 
> On 24 Jun 2019, at 17:25, Stefan Eissing <st...@greenbytes.de> wrote:
> 
>> You mean optional hooks by mod_ssl so that mod_md or someone else can take over?
> 
> Yes.
> 
> I while back I was looking at supporting an arbitrary collections of certificates instead of discrete certs per virtual hosts, and the md optional function was right where a hook would go. I've been meaning to fix this, but I’m drowing in stuff right now.
> 
> Regards,
> Graham
> —
>

Re: mod_mdv2: stapling

Posted by Graham Leggett <mi...@sharp.fm>.
On 24 Jun 2019, at 17:25, Stefan Eissing <st...@greenbytes.de> wrote:

> You mean optional hooks by mod_ssl so that mod_md or someone else can take over?

Yes.

I while back I was looking at supporting an arbitrary collections of certificates instead of discrete certs per virtual hosts, and the md optional function was right where a hook would go. I've been meaning to fix this, but I’m drowing in stuff right now.

Regards,
Graham
—

Re: mod_mdv2: stapling

Posted by Stefan Eissing <st...@greenbytes.de>.
You mean optional hooks by mod_ssl so that mod_md or someone else can take over?

> Am 24.06.2019 um 17:23 schrieb Graham Leggett <mi...@sharp.fm>:
> 
> On 24 Jun 2019, at 17:12, Stefan Eissing <st...@greenbytes.de> wrote:
> 
>> General interworking mod_ssl <-> mod_md: 2 new optional functions:
> 
> One quick thing I wanted to bring up a while back - rather than optional functions which can only ever be provided by a single implementation, can these be hooks instead?
> 
> A hook allows additional modules to modify the behaviour if we want to in the future, without replacing mod_md.
> 
> Regards,
> Graham
> —
>

Re: mod_mdv2: stapling

Posted by Graham Leggett <mi...@sharp.fm>.
On 24 Jun 2019, at 17:12, Stefan Eissing <st...@greenbytes.de> wrote:

> General interworking mod_ssl <-> mod_md: 2 new optional functions:

One quick thing I wanted to bring up a while back - rather than optional functions which can only ever be provided by a single implementation, can these be hooks instead?

A hook allows additional modules to modify the behaviour if we want to in the future, without replacing mod_md.

Regards,
Graham
—