Re: Broken OCSP Stapling

2017-06-06 Thread Hanno Böck
On Tue, 6 Jun 2017 10:48:44 +0200
Stefan Eissing  wrote:

> did you receive any reply on this from a httpd dev?

Unfortunately I haven't received any reply.

> If not, who would be a good contact at Linux Foundation / Core Infra
> to talk to?

I'll answer that in a private mail, don't want to give contact info on
a public mailing list.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42


Re: Broken OCSP Stapling

2017-06-06 Thread Stefan Eissing
Hanno,

did you receive any reply on this from a httpd dev? I am currently about to 
embark on a project in the OCSP neighbourhood, so I do not have 100% time 
available right now. But I would be sorry to leave such an opportunity for 
funded improvement of httpd go to waste...

If not, who would be a good contact at Linux Foundation / Core Infra to talk to?

Cheers,

Stefan

> Am 31.05.2017 um 16:13 schrieb Hanno Böck :
> 
> Hi,
> 
> On Wed, 31 May 2017 07:45:23 -0500
> Jim Riggs  wrote:
> 
>> This was mentioned in today's Bulletproof TLS newsletter
>> (https://www.feistyduck.com/bulletproof-tls-newsletter/issue_28_lets_encrypt_downtime.html):
>> 
>> https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html
> 
> I'm the author of that post, thanks for bringing that up.
> 
> In the meantime I found that there are even more bugs in the apache bz
> that are unhandled that sound quite concerning. This one
> https://bz.apache.org/bugzilla/show_bug.cgi?id=59049
> is imho a security vulnerability, yet it's been ignored for over a year.
> 
> 
> Please note also that I had some conversations with the Linux
> Foundation / Core Infrastructure Initiative about OCSP stapling and
> hey indicated that they would consider to provide funding if there's an
> effort to improve the situation.
> 
> 
> -- 
> Hanno Böck
> https://hboeck.de/
> 
> mail/jabber: ha...@hboeck.de
> GPG: FE73757FA60E4E21B937579FA5880072BBB51E42



Re: Broken OCSP Stapling

2017-05-31 Thread Hanno Böck
Hi,

On Wed, 31 May 2017 07:45:23 -0500
Jim Riggs  wrote:

> This was mentioned in today's Bulletproof TLS newsletter
> (https://www.feistyduck.com/bulletproof-tls-newsletter/issue_28_lets_encrypt_downtime.html):
> 
> https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html

I'm the author of that post, thanks for bringing that up.

In the meantime I found that there are even more bugs in the apache bz
that are unhandled that sound quite concerning. This one
https://bz.apache.org/bugzilla/show_bug.cgi?id=59049
is imho a security vulnerability, yet it's been ignored for over a year.


Please note also that I had some conversations with the Linux
Foundation / Core Infrastructure Initiative about OCSP stapling and
hey indicated that they would consider to provide funding if there's an
effort to improve the situation.


-- 
Hanno Böck
https://hboeck.de/

mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42


Broken OCSP Stapling

2017-05-31 Thread Jim Riggs
This was mentioned in today's Bulletproof TLS newsletter 
(https://www.feistyduck.com/bulletproof-tls-newsletter/issue_28_lets_encrypt_downtime.html):

https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html

It discusses httpd's (and nginx's) broken OCSP stapling implementations. This 
is outside of my wheelhouse, but wanted to raise awareness for someone familiar 
with that code who may be interested in taking a look. The post references 
bz57121 from 2014(!).