On 06/09/2016 10:25, Kurt Roeckx wrote:
On 2016-09-06 10:13, Nick Lamb wrote:
Quality of implementation for OCSP stapling seems to remain poor in at
least apache and nginx, two of the most popular servers. Apache's in
particular gives me that OpenSSL "We read this standards document and
implemented everything in it as a series of config options without any
understanding" feeling, rather than Apache's maintainers taking it
upon themselves to figure out what will actually work best for most
servers and implementing that.
If you think there is something we can do in OpenSSL to improve this,
please let us know.
Here are a list of software where I have personally observed bad OCSP
stapling support:
OpenSSL 1.0.x itself: There are hooks to provide stapled leaf OCSP
responses in sessions, but no meaningful sample code to do this right
(e.g. caching, error handling etc.) I am working on my own add-on code
for this, but it is not complete and not deployed.
There is no builtin support for multistapling and no clear
documentation on how to add arbitrary TLS extensions (such as this) to
an OpenSSL application.
OpenSSL 1.1.x itself: This is a heavily rewritten library and very new
at this time, basic reliability procedures suggest waiting a few patch
levels before deployment.
Stunnel stand alone SSL/TLS filter (used with e.g. Varnish reverse
proxies): OCSP stapling is on their TODO-list, but not yet included.
Pound light-weight reverse proxy with SSL/TLS front end: No OCSP
stapling support in the standard version.
IIS for Windows Server 2008 (latest IIS supporting pure 32 bit
configurations): No obvious (if any) OCSP stapling support.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
