VanL via curl-library
2021-04-23 20:51:42 UTC
(Disclaimer: Working for a client)
We currently have a requirement to perform certificate revocation checks on
all the HTTPS connections our device performs. Curl is a key library we use
to perform these HTTPS connections. Curl currently supports an option to
request and verify a stapled OCSP response on an HTTPS connection
(CURLOPT_SSL_VERIFYSTATUS). However, not all servers support stapled OCSP.
In that case, Curl will terminate the connection since it was not able to
verify the status of the server certificate.
We would like to expand Curl's support for OCSP verification beyond OCSP
stapling to include online OCSP. If a server does not return an OCSP stapled
response, Curl can be configured to request the OCSP status of the
certificate from the OCSP responder information listed in the certificate.
This would allow more servers to be supported by Curl if OCSP verification
is desired. This is the behavior of Firefox, which has led the browser
market in certificate revocation support.
We wanted to get commentary on this as a feature, as well as the proposed
flow, before creating an issue with a proposed pull request.
Current logic:
Request stapled OCSP response
-> Connect to server
-> Receive response?
Y -> Check signature and time. Valid?
Y -> Status OK?
Y -> CONTINUE CONNECT
N -> Abort
N -> Abort
N -> Abort
Proposed logic:
Request stapled OCSP response
-> Connect to server
-> Receive response?
Y -> Check signature and time. Valid?
(NEW) OPTION: OCSP_CACHE?
Y -> Store response in cache, continue
N -> Continue
Y -> Status OK?
Y -> CONTINUE CONNECT
N -> Abort
N -> Abort
N -> (NEW) Certificate is must staple?
Y -> Abort
N -> OPTION: OCSP_CACHE?
Y -> Previous response in cache?
Y -> Check signature and time. Valid?
Y -> CONTINUE CONNECT
N -> Abort
N -> OPTION: OCSP_ONLINE?
Y -> Request OCSP response. Received?
Y -> Check signature and time. Valid?
Y -> (Goto OCSP_CACHE Option) and Response
Status OK?
Y -> CONTINUE CONNECT
N -> Abort
N -> Abort
N -> Abort
N -> OPTION: OCSP_SOFT_FAIL?
Y -> CONTINUE CONNECT
N -> Abort
N -> (Goto OCSP_ONLINE Option)
We would like feedback on the desirability of adding this to curl as opposed
to putting it in a separate library. If there is interest, we can provide
suggested semantics for each of the options.
Thanks,
Van
OSPOCO
Van Lindberg
<https://ospo.co/> Open Source Program Office as a Service
<mailto:***@ospo.co> ***@ospo.co | 210.201.2024
This message and any attachments may contain privileged or confidential
information.
All applicable rights and privileges, including attorney-client privilege,
are reserved and
asserted. If you are not the intended recipient or believe that you have
received this
communication in error, please do not print, copy, share, or otherwise use
the information.
We currently have a requirement to perform certificate revocation checks on
all the HTTPS connections our device performs. Curl is a key library we use
to perform these HTTPS connections. Curl currently supports an option to
request and verify a stapled OCSP response on an HTTPS connection
(CURLOPT_SSL_VERIFYSTATUS). However, not all servers support stapled OCSP.
In that case, Curl will terminate the connection since it was not able to
verify the status of the server certificate.
We would like to expand Curl's support for OCSP verification beyond OCSP
stapling to include online OCSP. If a server does not return an OCSP stapled
response, Curl can be configured to request the OCSP status of the
certificate from the OCSP responder information listed in the certificate.
This would allow more servers to be supported by Curl if OCSP verification
is desired. This is the behavior of Firefox, which has led the browser
market in certificate revocation support.
We wanted to get commentary on this as a feature, as well as the proposed
flow, before creating an issue with a proposed pull request.
Current logic:
Request stapled OCSP response
-> Connect to server
-> Receive response?
Y -> Check signature and time. Valid?
Y -> Status OK?
Y -> CONTINUE CONNECT
N -> Abort
N -> Abort
N -> Abort
Proposed logic:
Request stapled OCSP response
-> Connect to server
-> Receive response?
Y -> Check signature and time. Valid?
(NEW) OPTION: OCSP_CACHE?
Y -> Store response in cache, continue
N -> Continue
Y -> Status OK?
Y -> CONTINUE CONNECT
N -> Abort
N -> Abort
N -> (NEW) Certificate is must staple?
Y -> Abort
N -> OPTION: OCSP_CACHE?
Y -> Previous response in cache?
Y -> Check signature and time. Valid?
Y -> CONTINUE CONNECT
N -> Abort
N -> OPTION: OCSP_ONLINE?
Y -> Request OCSP response. Received?
Y -> Check signature and time. Valid?
Y -> (Goto OCSP_CACHE Option) and Response
Status OK?
Y -> CONTINUE CONNECT
N -> Abort
N -> Abort
N -> Abort
N -> OPTION: OCSP_SOFT_FAIL?
Y -> CONTINUE CONNECT
N -> Abort
N -> (Goto OCSP_ONLINE Option)
We would like feedback on the desirability of adding this to curl as opposed
to putting it in a separate library. If there is interest, we can provide
suggested semantics for each of the options.
Thanks,
Van
OSPOCO
Van Lindberg
<https://ospo.co/> Open Source Program Office as a Service
<mailto:***@ospo.co> ***@ospo.co | 210.201.2024
This message and any attachments may contain privileged or confidential
information.
All applicable rights and privileges, including attorney-client privilege,
are reserved and
asserted. If you are not the intended recipient or believe that you have
received this
communication in error, please do not print, copy, share, or otherwise use
the information.