Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCSP proxy for firewallvm #879

Open
marmarek opened this issue Mar 8, 2015 · 3 comments
Open

OCSP proxy for firewallvm #879

marmarek opened this issue Mar 8, 2015 · 3 comments
Labels
C: core help wanted This issue will probably not get done in a timely fashion without help from community contributors. P: major Priority: major. Between "default" and "critical" in severity. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.

Comments

@marmarek
Copy link
Member

marmarek commented Mar 8, 2015

Reported by joanna on 3 Jul 2014 11:54 UTC
A typical problem: the user wants to allow only https traffic to select AppVM, yet for most https sites to work correctly (at least those with EV certs) the web browser is expected to also connect over oscp to check the cert. Unfortunately OCSP is HTTP not HTTPS...

Currently I manually look into the cert details where URI to OCSP is written, and then manually add this to the firewall rules. Sometimes I can't get the "green bar" working though...

Migrated-From: https://wiki.qubes-os.org/ticket/879
@marmarek
Copy link
Member Author

marmarek commented Mar 8, 2015

Comment by marmarek on 4 Jul 2014 22:45 UTC
Some CAs have very sophisticated infrastructure for hosting OCSP, includinga whole server farm, DNS round robin changing every few minutes etc. For example I had to add those rules for verisign (manually in qubes_firewall_user_script!):

#  crl.verisign.net
iptables -I FORWARD -s X -d 199.7.0.190/255.255.0.255 -p tcp --dport 80 -j ACCEPT
#  ocsp.verisign.net
iptables -I FORWARD -s X -d 199.7.0.72/255.255.0.255 -p tcp --dport 80 -j ACCEPT
#  seal.verisign.net
iptables -I FORWARD -s X -d 199.7.0.231/255.255.0.255 -p tcp --dport 443 -j ACCEPT

But apparently it isn't working anymore.

So indeed some proxy would be helpful. Potential problem: how to let the browser use the proxy? It would be the best if it would be used only for OCSP queries, but I'm afraid it isn't possible. Perhaps it should intercept all http traffic (and filter it similar to our yum proxy)?

@marmarek marmarek added this to the Release 2.1 (post R2) milestone Mar 8, 2015
@marmarek marmarek added T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality. C: core P: major Priority: major. Between "default" and "critical" in severity. labels Mar 8, 2015
@marmarek
Copy link
Member Author

marmarek commented Mar 8, 2015

Comment by axon on 22 Jul 2014 12:32 UTC
What if you just allow HTTP access to the entire CIDR block of the OCSP host in the AppVM's firewall rules?

For example, if your desired EV website is https://twitter.com, whose OCSP URI is http://EVSecure-ocsp.verisign.com, you would allow 23.0.0.0/12 over HTTP in the firewall rules of the AppVM.

This is currently working for me.

@andrewdavidwong
Copy link
Member

What if you just allow HTTP access to the entire CIDR block of the OCSP host in the AppVM's firewall rules?

I've been using this workaround for a while now, but it's not entirely reliable, since sometimes the OCSP host IP changes. So, some kind of proxy would be much better, I think.

@marmarek marmarek modified the milestones: Far in the future, Release 2.1 (post R2) Oct 3, 2015
@andrewdavidwong andrewdavidwong added the help wanted This issue will probably not get done in a timely fashion without help from community contributors. label Jun 9, 2016
andrewdavidwong added a commit that referenced this issue Jun 9, 2016
@andrewdavidwong
Update #879 status
082b6d3
@andrewdavidwong andrewdavidwong removed this from the Release TBD milestone Aug 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C: core help wanted This issue will probably not get done in a timely fashion without help from community contributors. P: major Priority: major. Between "default" and "critical" in severity. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@marmarek @andrewdavidwong