[gnutls-devel] Interaction between TLS session resumption and the OCSP must-staple certificate extension

Tim Kosse tim.kosse at filezilla-project.org
Mon Jun 26 22:15:39 CEST 2017


I've recently been made aware of a problem [1][2] connecting the
FileZilla FTP client (linked against GnuTLS 3.5.13) to a recent ProFTPD
server (linked against OpenSSL). To prevent data connection theft, FTP
over TLS has to rely [3] on TLS session resumption for the data connection.

If using a certificate that has the status_request tlsfeatures X.509
certificate extension [4] ("OCSP must staple"), any handshakes using TLS
session resumption fail with GNUTLS_CERT_MISSING_OCSP_STATUS.

Unfortunately it looks like an oversight of RFC7633, it does not specify
how must-staple interacts with resumed session.

I'm not quite sure who who's at fault here and where to implement a fix:
GnuTLS or OpenSSL/ProFTPD?

Regarding GnuTLS: If using a resumed session, assuming the program using
GnuTLS did not deliberately ignore verification errors on the initial
handshake, we know that the initial session already had a properly
stapled OCSP response. Would it be feasible to just ignore a missing
OCSP response in resumed sessions?

Regarding the latter: Do the TLS specifications allow for a
CertificateStatus handshake packet to be sent in a resumed session? If
so, I think this issue is something TJ needs to investigate further in
ProFTPD, possibly escalating it as OpenSSL bug.


[1] https://forum.filezilla-project.org/viewtopic.php?t=45684
[2] https://forums.proftpd.org/smf/index.php/topic,12187.0/all.html
[3] https://forum.filezilla-project.org/viewtopic.php?p=137191#p137191
[4] https://tools.ietf.org/html/rfc7633

More information about the Gnutls-devel mailing list