[jira] [Commented] (TS-3362) Do not staple negative OCSP response
[ https://issues.apache.org/jira/browse/TS-3362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14352430#comment-14352430 ] Leif Hedstrom commented on TS-3362: --- Do we still want to do this? If not, please close (remove fix version) as won't fix. Do not staple negative OCSP response Key: TS-3362 URL: https://issues.apache.org/jira/browse/TS-3362 Project: Traffic Server Issue Type: Improvement Components: SSL Reporter: Feifei Cai Labels: review Fix For: sometime Attachments: TS-3362.diff When get OCSP response, we check it before cache/staple it. If it's negative, I think we'd better discard it instead of sending back to user agent. This would not increase security risk: User agent would query CA for OCSP response if ATS does not staple it with certificate. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3362) Do not staple negative OCSP response
[ https://issues.apache.org/jira/browse/TS-3362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14352446#comment-14352446 ] Feifei Cai commented on TS-3362: Thanks [~zwoop]. I'll close this ticket. Do not staple negative OCSP response Key: TS-3362 URL: https://issues.apache.org/jira/browse/TS-3362 Project: Traffic Server Issue Type: Improvement Components: SSL Reporter: Feifei Cai Labels: review Attachments: TS-3362.diff When get OCSP response, we check it before cache/staple it. If it's negative, I think we'd better discard it instead of sending back to user agent. This would not increase security risk: User agent would query CA for OCSP response if ATS does not staple it with certificate. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3362) Do not staple negative OCSP response
[ https://issues.apache.org/jira/browse/TS-3362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14309296#comment-14309296 ] Scott Beardsley commented on TS-3362: - Just a quick question on terminology: does negative response include both a fetch failure and a revoked status? It seems we might want to treat those differently. If we do serve revoked status we should complain (loudly) since this is a fatal error. Clients should send a bad_certificate_status_response alert but we shouldn't need to wait for that message to know about this condition. Do not staple negative OCSP response Key: TS-3362 URL: https://issues.apache.org/jira/browse/TS-3362 Project: Traffic Server Issue Type: Improvement Components: SSL Reporter: Feifei Cai Attachments: TS-3362.diff When get OCSP response, we check it before cache/staple it. If it's negative, I think we'd better discard it instead of sending back to user agent. This would not increase security risk: User agent would query CA for OCSP response if ATS does not staple it with certificate. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3362) Do not staple negative OCSP response
[ https://issues.apache.org/jira/browse/TS-3362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14303416#comment-14303416 ] Sudheer Vinukonda commented on TS-3362: --- Minor comment on style - Would it be better to use a switch/case for the different statuses instead of a if/else if? Do not staple negative OCSP response Key: TS-3362 URL: https://issues.apache.org/jira/browse/TS-3362 Project: Traffic Server Issue Type: Improvement Components: SSL Reporter: Feifei Cai Attachments: TS-3362.diff When get OCSP response, we check it before cache/staple it. If it's negative, I think we'd better discard it instead of sending back to user agent. This would not increase security risk: User agent would query CA for OCSP response if ATS does not staple it with certificate. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3362) Do not staple negative OCSP response
[ https://issues.apache.org/jira/browse/TS-3362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14302958#comment-14302958 ] Scott Beardsley commented on TS-3362: - Fei, it looks like you are re-using existing metrics. Would it make sense to report these error conditions into new metrics instead of overloading the existing user_agent_unknown_cert and user_agent_revoked_cert? These metric names don't provide any hints that they may be related to OCSP. Also, you had a different version which reported debug messages to the ssl_ocsp tag instead of just ssl. I found that useful for debugging just ocsp related issues. Do not staple negative OCSP response Key: TS-3362 URL: https://issues.apache.org/jira/browse/TS-3362 Project: Traffic Server Issue Type: Improvement Components: SSL Reporter: Feifei Cai Attachments: TS-3362.diff When get OCSP response, we check it before cache/staple it. If it's negative, I think we'd better discard it instead of sending back to user agent. This would not increase security risk: User agent would query CA for OCSP response if ATS does not staple it with certificate. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3362) Do not staple negative OCSP response
[ https://issues.apache.org/jira/browse/TS-3362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14303582#comment-14303582 ] James Peach commented on TS-3362: - Why should we not staple the negative response? If the user agent has to go and fetch it, that's an opportunity for an attacker to interrupt transaction (ie. an attacker could make the UA believe the OCSP server is unavailable). We should have a much better reason for making this change than what has been presented so far. Do not staple negative OCSP response Key: TS-3362 URL: https://issues.apache.org/jira/browse/TS-3362 Project: Traffic Server Issue Type: Improvement Components: SSL Reporter: Feifei Cai Attachments: TS-3362.diff When get OCSP response, we check it before cache/staple it. If it's negative, I think we'd better discard it instead of sending back to user agent. This would not increase security risk: User agent would query CA for OCSP response if ATS does not staple it with certificate. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3362) Do not staple negative OCSP response
[ https://issues.apache.org/jira/browse/TS-3362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14303589#comment-14303589 ] Sudheer Vinukonda commented on TS-3362: --- Agree - If the concern is on serving a *stale* negative response, we could perhaps consider shorter refresh times (or even none) for caching a negative response? Do not staple negative OCSP response Key: TS-3362 URL: https://issues.apache.org/jira/browse/TS-3362 Project: Traffic Server Issue Type: Improvement Components: SSL Reporter: Feifei Cai Attachments: TS-3362.diff When get OCSP response, we check it before cache/staple it. If it's negative, I think we'd better discard it instead of sending back to user agent. This would not increase security risk: User agent would query CA for OCSP response if ATS does not staple it with certificate. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3362) Do not staple negative OCSP response
[ https://issues.apache.org/jira/browse/TS-3362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14302982#comment-14302982 ] Feifei Cai commented on TS-3362: Oh, yes, you're right. The fetch and check of OCSP response is an independent thread, not in ssl handshake. I should report it in some new metrics, e.g. proxy.process.ssl.ocsp_revoked_certstatus, proxy.process.ssl.ocsp_unknown_certstatus... And, I'll extend ssl debug tag to ssl_ocsp. Will attach a new patch as soon. Do not staple negative OCSP response Key: TS-3362 URL: https://issues.apache.org/jira/browse/TS-3362 Project: Traffic Server Issue Type: Improvement Components: SSL Reporter: Feifei Cai Attachments: TS-3362.diff When get OCSP response, we check it before cache/staple it. If it's negative, I think we'd better discard it instead of sending back to user agent. This would not increase security risk: User agent would query CA for OCSP response if ATS does not staple it with certificate. -- This message was sent by Atlassian JIRA (v6.3.4#6332)