subject:"Re\: svn commit\: r1633730 \- \/httpd\/httpd\/trunk\/docs\/conf\/extra\/httpd\-ssl.conf.in"

Re: svn commit: r1633730 - /httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in

2014-11-01 Thread Kaspar Brand

On 27.10.2014 12:55, Jeff Trawick wrote:
 Putting SSLUseStapling at global scope makes it easier for the admin, who
 may have had trouble getting SSL working in the first place.

I don't see yet how it makes it easier - my point is more that an
admin should consciously enable OCSP stapling when he is configuring a
certificate for a virtual host, i.e., SSLUseStapling should appear after
the SSLCertificateFile in the VirtualHost _default_:443 block. (This
applies even more to cases where people put their VirtualHost configs
into separate files - having a global setting inadvertently apply to
all VirtualHosts is something I would want to avoid.)

 I'm not aware
 of any real drawbacks.  Messages will be logged if stapling can't be
 performed for a particular certificate (missing certificate chain, no
 responder URL in certificate or in configuration), but that may be a good
 thing.  And the server will start up normally.

If the primary concern is that configuring mod_ssl (getting SSL
working as you put it) is too complex for the typical admin, then
streamlining our current httpd-ssl.conf would probably make more sense -
there's stuff in there which standard https sites almost never need
(SSLCACertificate{Path,File}, SSLCARevocation* etc., making it pretty
hard for an inexperienced admin to identify those directives which
really matter).

 (Without disagreeing with your per-certificate comment, it is worth
 noting that we have no per-certificate stapling configuration -- only
 per-vhost.  I have no idea how many configurations that affects, but I
 guess that the number is increasing based on effort put into mod_ssl in the
 last year or so.)

It is mostly hindered by the release of OpenSSL 1.0.2 anyway, because
currently, there's the issue of not being able to configure
per-certificate chains in OpenSSL up to 1.0.1.

Generally speaking, I consider SSLStaplingForceURL sort of a kludge - it
might be justified for those (very few) high-traffic sites where the
OCSP URI is deliberately omitted from the certificate (and which are
unlikely to deploy httpd/mod_ssl, BTW), but doesn't really help with the
configure a proxy for retrieving to-be-stapled OCSP responses (you
would need an OCSP-aware proxy under the URL pointed to by
SSLStaplingForceURL, a simple HTTP proxy is not sufficient).

 Factoring in 50% management overhead/fragmentation, I could fit responses
 for 28+ certificates in 32768 bytes if they were like the ones I have
 already.  The current number seems very conservative for the sort of
 configuration for which we can't expect enough configuration skills to
 review the comments in the sample before putting in production.

As mentioned by Hanno elsewhere, more than a few certificates sounds
rather fuzzy, and it would be more helpful for the reader of this
comment to have some data for typical response sizes. They basically
depend on what option is used for response signing according to section
2.2 of RFC 6960:

All definitive response messages SHALL be digitally signed.  The key
used to sign the response MUST belong to one of the following:
 
- the CA who issued the certificate in question
 
- a Trusted Responder whose public key is trusted by the requestor
 
- a CA Designated Responder (Authorized Responder, defined in
  Section 4.2.2.2) who holds a specially marked certificate issued
  directly by the CA, indicating that the responder may issue OCSP
  responses for that CA

For publicly-trusted certificates (in the sense of the CA/Browser
Forum's Baseline Requirements), it's options 1 and 3 which are of
relevance. Examples can be seen at [1] and [2], respectively, i.e. we
are in the range of 500 to 1600 bytes for the DER encoding, and I would
hardly expect responses with more than 2000 bytes (unless large signing
keys/algorithms are used). I didn't look at how these numbers translate
to our stapling cache, though.

Kaspar


[1] 
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEEt1V4JpOQyb4y8S7F9tlF4%3D
(Content-Length: 471)

[2] 
http://sr.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR0JBRnBp%2F14Jg%2FXj4aa6BlKlQVdQQUAVmr5906C1mmZGPWzyAHV9WR52oCEBrIXreuw1E82A2FOF7P0gg%3D
(Content-Length: 1595)

Re: svn commit: r1633730 - /httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in

2014-10-27 Thread Jeff Trawick

On Sun, Oct 26, 2014 at 3:18 AM, Kaspar Brand httpd-dev.2...@velox.ch
wrote:

 On 23.10.2014 02:59, traw...@apache.org wrote:
  Author: trawick
  Date: Thu Oct 23 00:59:40 2014
  New Revision: 1633730
 
  URL: http://svn.apache.org/r1633730
  Log:
  add OCSP Stapling configuration, disabled by default
 
  Modified:
  httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in
 
  Modified: httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in
  URL:
 http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in?rev=1633730r1=1633729r2=1633730view=diff
 
 ==
  --- httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in (original)
  +++ httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in Thu Oct 23
 00:59:40 2014
  @@ -73,6 +73,31 @@ SSLPassPhraseDialog  builtin
   SSLSessionCacheshmcb:ssl_scache(512000)
   SSLSessionCacheTimeout  300
 
  +#   OCSP Stapling (requires OpenSSL 0.9.8h or later)
  +#
  +#   This feature is disabled by default and requires at least
  +#   the two directives SSLUseStapling and SSLStaplingCache.
  +#   Refer to the documentation on OCSP Stapling in the SSL/TLS
  +#   How-To for more information.
  +#
  +#   Enable stapling for all SSL-enabled servers:
  +#SSLUseStapling On

 OCSP stapling is primarily a per-certificate feature - so my suggestion
 would be to only have the cache related directives (SSLStaplingCache,
 SSLStaplingStandardCacheTimeout, SSLStaplingErrorCacheTimeout) at the
 global level, and put the other ones into the default VirtualHost block.


Putting SSLUseStapling at global scope makes it easier for the admin, who
may have had trouble getting SSL working in the first place.  I'm not aware
of any real drawbacks.  Messages will be logged if stapling can't be
performed for a particular certificate (missing certificate chain, no
responder URL in certificate or in configuration), but that may be a good
thing.  And the server will start up normally.

(Without disagreeing with your per-certificate comment, it is worth
noting that we have no per-certificate stapling configuration -- only
per-vhost.  I have no idea how many configurations that affects, but I
guess that the number is increasing based on effort put into mod_ssl in the
last year or so.)

Other thoughts out there?


  +
  +#   Define a relatively small cache for OCSP Stapling using
  +#   the same mechanism that is used for the SSL session cache
  +#   above.  If stapling is used with more than a few certificates,
  +#   the size may need to be increased.  (AH01929 will be logged.)
  +#SSLStaplingCache shmcb:ssl_stapling(32768)

 Shouldn't we make it a bit larger by default? Memory is so cheap these
 days that I'm not sure it's worth to keep it that small.


Factoring in 50% management overhead/fragmentation, I could fit responses
for 28+ certificates in 32768 bytes if they were like the ones I have
already.  The current number seems very conservative for the sort of
configuration for which we can't expect enough configuration skills to
review the comments in the sample before putting in production.

On the one hand I agree with memory is so cheap but on the other hand I
see sample configs for SSLStaplingCache on the www with 15 or more
bytes, so I guess there is a lack of any clue about what the number, or
even the cache itself, is actually for.  I like it being a bit closer to
reality.

Other thoughts out there?




  +
  +#   Override the OCSP responder URL specified in the certificate
  +#SSLStaplingForceURL http://ocsp.example.com/

 I suggest to omit this in the sample configuration, as certificates
 issued by publicly-trusted CAs which lack an OCSP URI (based on section
 13.2.1 in the CA/Browser Forum's Baseline Requirements [1] that the URI
 may be omitted for a high-traffic FQDN when stapling is contractually
 or technically enforced) do 1) not exist as of today and 2) are
 definitely not what a typical deployment with mod_ssl entails. Having
 SSLStaplingForceURL in the sample configuration (especially as a global
 directive) does more harm than good, IMO.


I will pull it out; FWIW, I think the most common reason for override would
be to implement a responder proxy, whether to meet infrastructure
requirements in the web tier or to have a more flexible way to deal with
responder glitches than what can be configured in mod_ssl.

Thanks a bunch for your review, and I hope others will look at it.


 Kaspar


 [1] https://cabforum.org/documents/#Baseline-Requirements




-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Re: svn commit: r1633730 - /httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in

2014-10-26 Thread Kaspar Brand

On 23.10.2014 02:59, traw...@apache.org wrote:
 Author: trawick
 Date: Thu Oct 23 00:59:40 2014
 New Revision: 1633730
 
 URL: http://svn.apache.org/r1633730
 Log:
 add OCSP Stapling configuration, disabled by default
 
 Modified:
 httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in
 
 Modified: httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in
 URL: 
 http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in?rev=1633730r1=1633729r2=1633730view=diff
 ==
 --- httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in (original)
 +++ httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in Thu Oct 23 00:59:40 
 2014
 @@ -73,6 +73,31 @@ SSLPassPhraseDialog  builtin
  SSLSessionCacheshmcb:ssl_scache(512000)
  SSLSessionCacheTimeout  300
  
 +#   OCSP Stapling (requires OpenSSL 0.9.8h or later)
 +#
 +#   This feature is disabled by default and requires at least
 +#   the two directives SSLUseStapling and SSLStaplingCache.
 +#   Refer to the documentation on OCSP Stapling in the SSL/TLS
 +#   How-To for more information.
 +#
 +#   Enable stapling for all SSL-enabled servers:
 +#SSLUseStapling On

OCSP stapling is primarily a per-certificate feature - so my suggestion
would be to only have the cache related directives (SSLStaplingCache,
SSLStaplingStandardCacheTimeout, SSLStaplingErrorCacheTimeout) at the
global level, and put the other ones into the default VirtualHost block.

 +
 +#   Define a relatively small cache for OCSP Stapling using
 +#   the same mechanism that is used for the SSL session cache
 +#   above.  If stapling is used with more than a few certificates,
 +#   the size may need to be increased.  (AH01929 will be logged.)
 +#SSLStaplingCache shmcb:ssl_stapling(32768)

Shouldn't we make it a bit larger by default? Memory is so cheap these
days that I'm not sure it's worth to keep it that small.

 +
 +#   Override the OCSP responder URL specified in the certificate
 +#SSLStaplingForceURL http://ocsp.example.com/

I suggest to omit this in the sample configuration, as certificates
issued by publicly-trusted CAs which lack an OCSP URI (based on section
13.2.1 in the CA/Browser Forum's Baseline Requirements [1] that the URI
may be omitted for a high-traffic FQDN when stapling is contractually
or technically enforced) do 1) not exist as of today and 2) are
definitely not what a typical deployment with mod_ssl entails. Having
SSLStaplingForceURL in the sample configuration (especially as a global
directive) does more harm than good, IMO.

Kaspar


[1] https://cabforum.org/documents/#Baseline-Requirements

Re: svn commit: r1633730 - /httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in

Re: svn commit: r1633730 - /httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in

Re: svn commit: r1633730 - /httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in

3 matches

Site Navigation

Mail list logo

Footer information