After some time off (off this topic, at least), I am now trying to work my way
through the stapling code and the mechanisms of caching in mod_ssl. Phew... I
had expected this to be a little more straight forward even for a non-C-guru
like me. *sigh* ;)
My favourite place to have the OCSP caching done is in ssl_engine_ocsp.c ->
verify_ocsp_status(), right where an OCSP request would be created:
static int verify_ocsp_status(...)
{
[...]
/* Query response cache HERE */
ruri = determine_responder_uri(sc, cert, c, pool);
if (!ruri) {
return V_OCSP_CERTSTATUS_UNKNOWN;
}
request = create_request(ctx, cert, &certID, s, pool);
[...]
The idea, inspired by your stapling code, Steve, is:
- Use SHA1 hash of cert (X509_digest(cert, EVP_sha1(), idx, NULL)) as key for
the cache.
- Query cache for entry of idx above
-_ only create and dispatch new request, if no or invalid entry
- store/update response after (new) request has been dispatched and response
has been received
- validate response (either received from cache or from connection to
responder) --> this code is present, of course, and has been further customized
already.
Is there a possibility to *not* customize a bunch of files like ssl_private.h,
ssl_scache.c, ssl_engine_init.c and so on, but have all necessary handling
placed here in ssl_engine_ocsp.c (and maybe ssl_util_ocsp.c), without messing
up?
Of course, I see the pros of a generic approach, but this is definitely only
for internal OCSP caching nothing to be communicated outside of this place.
On a more detailed level, it is the caching mechanisms that trouble me. What
needs to be done to execute caching operations?
- Define and initialize a cache - similar to SSL session cache. The actual SSL
session cache functions and structures cannot be used for this, just with a
different storage (file)?
- Define and initialize a mutex for access to this additional cache...
So, I am lacking the right way to start this up, aims being at first a quick
implementation and continued refactoring to a really well done solution
afterwards. :-/
Mit freundlichen Grüßen / Kind regards
Natanael Mignon
Von: Dr Stephen Henson [shen...@oss-institute.org]
Gesendet: Freitag, 11. September 2009 11:45
An: dev@httpd.apache.org
Betreff: Re: OCSP stapling in mod_ssl - use as OCSP cache for client
authentication
What I think you are trying to do is to include a cache for OCSP queries the
proxy itself makes which is IMHO the best solution. So instead of always
consulting the OCSP responder it instead checks the cache to see if there is a
valid OCSP response in there, if it is expired or invalid then and only then
would it renew the response by making an actual query. Doing things that way
doesn't need OCSP stapling support in the server(s).
If that's correct then you could reuse some of the OCSP response query and
caching code in the stapling patch. It implements similar functionality.