Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add support for OCSP stapling #7812

Closed
appliedprivacy opened this issue May 12, 2019 · 3 comments
Closed

add support for OCSP stapling #7812

appliedprivacy opened this issue May 12, 2019 · 3 comments

Comments

@appliedprivacy
Copy link
Contributor

@appliedprivacy appliedprivacy commented May 12, 2019

  • Program: dnsdist
  • Issue type: Feature request

Short description

Adding support for OCSP stapling would:

  • reduce latency (no need to contact OCSP server)
  • improve privacy (no need to disclose the visit to the 3rd party OCSP server)

Expected behaviour

DoH and DoT should support OCSP stapling.
And maybe enable it by default?

Actual behaviour

DoH listener does not appear to support OCSP stapling.
(DoT status not tested)

Other information

h2o appears to support it:

https://h2o.examp1e.net/index.html

Key Features: automatic OCSP stapling

@rgacogne
Copy link
Member

@rgacogne rgacogne commented May 20, 2019

I agree it would be a very nice feature to have and we will ponder it in later versions. I don't think it would make sense for dnsdist to open up a HTTP connection to the OCSP server itself, but IMHO we should consider implementing the ability to load the OCSP stapling response from a file at startup and to reload it at runtime from the console, like haproxy does.

@rgacogne rgacogne added this to the dnsdist-1.5.0 milestone May 20, 2019
@appliedprivacy
Copy link
Contributor Author

@appliedprivacy appliedprivacy commented May 25, 2019

Thanks for considering this feature request.

I don't think it would make sense for dnsdist to open up a HTTP connection to the OCSP server itself

Can you elaborate why it would not make sense to implement OCSP stapling like i.e. a webserver does? (nginx will fetch the necessary data from the OCSP server)

@rgacogne
Copy link
Member

@rgacogne rgacogne commented May 27, 2019

Can you elaborate why it would not make sense to implement OCSP stapling like i.e. a webserver does? (nginx will fetch the necessary data from the OCSP server)

It would mean teaching dnsdist how to extract the OCSP endpoint from the certificate, how to do an HTTP query and parse an HTTP response, how to construct an OCSP query and parse an OCSP response, and keep track of the OCSP response expiry and refresh times. All of this, while doable, is in my opinion not the best use of our time and would increase the complexity and thus surface attack of dnsdist. I think loading an OCSP stapling response from a file and letting an external program do the needful would be a nice middle ground, but of course other people might disagree.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

2 participants