You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jim Riggs <ap...@riggs.me> on 2017/05/31 12:45:23 UTC
Broken OCSP Stapling
This was mentioned in today's Bulletproof TLS newsletter (https://www.feistyduck.com/bulletproof-tls-newsletter/issue_28_lets_encrypt_downtime.html):
https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html
It discusses httpd's (and nginx's) broken OCSP stapling implementations. This is outside of my wheelhouse, but wanted to raise awareness for someone familiar with that code who may be interested in taking a look. The post references bz57121 from 2014(!).
Re: Broken OCSP Stapling
Posted by Hanno Böck <ha...@hboeck.de>.
On Tue, 6 Jun 2017 10:48:44 +0200
Stefan Eissing <st...@greenbytes.de> wrote:
> did you receive any reply on this from a httpd dev?
Unfortunately I haven't received any reply.
> If not, who would be a good contact at Linux Foundation / Core Infra
> to talk to?
I'll answer that in a private mail, don't want to give contact info on
a public mailing list.
--
Hanno Böck
https://hboeck.de/
mail/jabber: hanno@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Re: Broken OCSP Stapling
Posted by Stefan Eissing <st...@greenbytes.de>.
Hanno,
did you receive any reply on this from a httpd dev? I am currently about to embark on a project in the OCSP neighbourhood, so I do not have 100% time available right now. But I would be sorry to leave such an opportunity for funded improvement of httpd go to waste...
If not, who would be a good contact at Linux Foundation / Core Infra to talk to?
Cheers,
Stefan
> Am 31.05.2017 um 16:13 schrieb Hanno Böck <ha...@hboeck.de>:
>
> Hi,
>
> On Wed, 31 May 2017 07:45:23 -0500
> Jim Riggs <ap...@riggs.me> wrote:
>
>> This was mentioned in today's Bulletproof TLS newsletter
>> (https://www.feistyduck.com/bulletproof-tls-newsletter/issue_28_lets_encrypt_downtime.html):
>>
>> https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html
>
> I'm the author of that post, thanks for bringing that up.
>
> In the meantime I found that there are even more bugs in the apache bz
> that are unhandled that sound quite concerning. This one
> https://bz.apache.org/bugzilla/show_bug.cgi?id=59049
> is imho a security vulnerability, yet it's been ignored for over a year.
>
>
> Please note also that I had some conversations with the Linux
> Foundation / Core Infrastructure Initiative about OCSP stapling and
> hey indicated that they would consider to provide funding if there's an
> effort to improve the situation.
>
>
> --
> Hanno Böck
> https://hboeck.de/
>
> mail/jabber: hanno@hboeck.de
> GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Re: Broken OCSP Stapling
Posted by Hanno Böck <ha...@hboeck.de>.
Hi,
On Wed, 31 May 2017 07:45:23 -0500
Jim Riggs <ap...@riggs.me> wrote:
> This was mentioned in today's Bulletproof TLS newsletter
> (https://www.feistyduck.com/bulletproof-tls-newsletter/issue_28_lets_encrypt_downtime.html):
>
> https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html
I'm the author of that post, thanks for bringing that up.
In the meantime I found that there are even more bugs in the apache bz
that are unhandled that sound quite concerning. This one
https://bz.apache.org/bugzilla/show_bug.cgi?id=59049
is imho a security vulnerability, yet it's been ignored for over a year.
Please note also that I had some conversations with the Linux
Foundation / Core Infrastructure Initiative about OCSP stapling and
hey indicated that they would consider to provide funding if there's an
effort to improve the situation.
--
Hanno Böck
https://hboeck.de/
mail/jabber: hanno@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42