[gnutls-devel] support of stapled OCSP responses under TLS1.3
Stefan Bühler
stbuehler at lighttpd.net
Tue Nov 21 11:03:40 CET 2017
Hi,
On 11/20/2017 08:56 AM, Nikos Mavrogiannopoulos wrote:
> On Fri, Oct 13, 2017 at 1:50 PM, Nikos Mavrogiannopoulos
> <n.mavrogiannopoulos at gmail.com> wrote:
>> Hi,
>> I'm going through the support of stapled OCSP responses under TLS1.3.
>> The major change in TLS1.3 is that there can be an OCSP response for
>> each certificate sent, rather than one response for the
>> end-certificate, and such responses can be provided also for the
>> client certificate.
>> Supporting multiple responses when verifying the certificates seems
>> straightforward as we were doing that transparently without the
>> application intervening.
> [...]
>
> Hi,
> The merge request introducing multiple OCSP staples under TLS1.3 is at:
> https://gitlab.com/gnutls/gnutls/merge_requests/548
>
> It tries hard not to require new APIs by enhancing
> gnutls_certificate_set_ocsp_status_request_file() to parse the
> response file and associate it with a certificate. On the other hand,
> a new callback could not be avoided to retrieve more than one
> responses, hence
> gnutls_certificate_set_ocsp_status_request_function3() is added, as
> well as gnutls_ocsp_status_request_get2() for application to read the
> responses.
As far as I can see gnutls_certificate_set_ocsp_status_request_function3
provides the necessary interface.
> I'd appreciate a review on that new functionality if you are already
> familiar with the previous OCSP handling code, or intend to use it.
>
> After a discussion with Hubert Kario, I've also opened [0] which is
> about automating the retrieval of OCSP responses and association with
> server credentials, to reduce complexity from servers. It's currently
> a bit low priority in the tls1.3 plan [1], and up for grabs, but it
> would make an application server's code much simpler.
A first step to make usage simpler would be to add a function similar to
gnutls_certificate_set_ocsp_status_request_file which accepts a
gnutls_datum_t instead of a filename.
And even simpler would be auto-loading these responses from "OCSP
RESPONSE" pem blocks in certificate files (or separate "ocsp" files).
(I made up the term "OCSP RESPONSE"; afaik there is no standard name for
this).
cheers,
Stefan
More information about the Gnutls-devel
mailing list