New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding OCSP Stapling support to mosquitto #459

Open
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
8 participants
@LarsVoelker

LarsVoelker commented Jun 9, 2017

Adding OCSP Stapling support to mosquitto, so that the TLS client side
requests the certificate status and checks it.
This code uses the OpenSSL-based OCSP implementation and is somewhat
based on the libcurl code for OCSP stapling.

Signed-off-by: Dr. Lars Voelker lars.voelker@bmw.de

@ralight

This comment has been minimized.

Show comment
Hide comment
@ralight

ralight Jun 11, 2017

Contributor

Thanks for this, I'm looking over it.

Contributor

ralight commented Jun 11, 2017

Thanks for this, I'm looking over it.

Adding OCSP Stapling support to mosquitto
Adding OCSP Stapling support to mosquitto, so that the TLS client side
requests the certificate status and checks it.
This code uses the OpenSSL-based OCSP implementation and is somewhat
based on the libcurl code for OCSP stapling.

Signed-off-by: Dr. Lars Voelker <lars.voelker@bmw.de>
@LarsVoelker

This comment has been minimized.

Show comment
Hide comment
@LarsVoelker

LarsVoelker Aug 1, 2017

Is there something that we have to do or to change? Did I miss something?

LarsVoelker commented Aug 1, 2017

Is there something that we have to do or to change? Did I miss something?

@ralight

This comment has been minimized.

Show comment
Hide comment
@ralight

ralight Aug 1, 2017

Contributor

Sorry for the delay Lars, the inclusion of the curl code complicates things a bit - it has to go through IP review, which I've only recently asked for and am now awaiting a response.

Contributor

ralight commented Aug 1, 2017

Sorry for the delay Lars, the inclusion of the curl code complicates things a bit - it has to go through IP review, which I've only recently asked for and am now awaiting a response.

@LarsVoelker

This comment has been minimized.

Show comment
Hide comment
@LarsVoelker

LarsVoelker commented Sep 1, 2017

Any news?

@ChristianKuehnel

This comment has been minimized.

Show comment
Hide comment
@ChristianKuehnel

ChristianKuehnel Sep 27, 2017

I just had a look at the Curl license. It seems quite open and flexible:

It means that you are free to modify and redistribute all contents of the curl distributed archives.

So there should not be a problem, right?

ChristianKuehnel commented Sep 27, 2017

I just had a look at the Curl license. It seems quite open and flexible:

It means that you are free to modify and redistribute all contents of the curl distributed archives.

So there should not be a problem, right?

@mhei

This comment has been minimized.

Show comment
Hide comment
@mhei

mhei Oct 24, 2017

Contributor

I noticed some coding style "issues" in the PR, e.g. whitespace in "if (" whereas the rest of the code seems to use "if(" for example. Maybe it would be better to have a second look at this to align the new code parts to existing code.

Contributor

mhei commented Oct 24, 2017

I noticed some coding style "issues" in the PR, e.g. whitespace in "if (" whereas the rest of the code seems to use "if(" for example. Maybe it would be better to have a second look at this to align the new code parts to existing code.

@lprashant-94

This comment has been minimized.

Show comment
Hide comment
@lprashant-94

lprashant-94 May 9, 2018

Hello LarsVoelker,
I am trying to run your changes, It didn't understand why we need to set require_ocsp parameter at bridge level.

Also according my understanding, OCSP is used for client certificate validation. Correct me if I am wrong.
Thanks

lprashant-94 commented on man/mosquitto.conf.5.xml in 74adb43 May 9, 2018

Hello LarsVoelker,
I am trying to run your changes, It didn't understand why we need to set require_ocsp parameter at bridge level.

Also according my understanding, OCSP is used for client certificate validation. Correct me if I am wrong.
Thanks

This comment has been minimized.

Show comment
Hide comment
@LarsVoelker

LarsVoelker May 14, 2018

Owner

Hi!

I am not sure that I understood the question. Since the bridge has a client and a server part, the option is need for the client part as well.

Does this make sense?

Owner

LarsVoelker replied May 14, 2018

Hi!

I am not sure that I understood the question. Since the bridge has a client and a server part, the option is need for the client part as well.

Does this make sense?

This comment has been minimized.

Show comment
Hide comment
@lprashant-94

lprashant-94 May 14, 2018

Hi Lars,
I was having 2 questions,

  1. I thought require_ocsp parameter should be listener parameter, so that we can specify it with SSL listener running on 8883 port. Can you provide sample mosquitto.conf for better understanding.

  2. I was trying to do Certificate based authentication, In which clients will have their own certificate which server will validate. Only authenticated clients should able access server. I was doing it using client certificate. I faced difficulty while Revoking certificate. Can I use OCSP in server for certificate revocation.

Please provide steps to use OCSP.

Thank you,
Prashant

lprashant-94 replied May 14, 2018

Hi Lars,
I was having 2 questions,

  1. I thought require_ocsp parameter should be listener parameter, so that we can specify it with SSL listener running on 8883 port. Can you provide sample mosquitto.conf for better understanding.

  2. I was trying to do Certificate based authentication, In which clients will have their own certificate which server will validate. Only authenticated clients should able access server. I was doing it using client certificate. I faced difficulty while Revoking certificate. Can I use OCSP in server for certificate revocation.

Please provide steps to use OCSP.

Thank you,
Prashant

This comment has been minimized.

Show comment
Hide comment
@LarsVoelker

LarsVoelker May 16, 2018

Owner

Hi Prashant!

Regarding Question 1:

Basically OCSP stapling works like this:

  • The client wants to check the server certificate using an OCSP stapling ticket. The client signals to the server that it needs that information inside TLS (CertificateStatusRequest, RFC6066 Section 8).
  • The server sends then the OCSP information to the client inside TLS (RFC6066 Section 8).
  • The client uses that information to validate the servers certificate. The client decides then to trust the connection or not, based on this.

So you basically need to have a way to make the client to require OCSP. This is what the configuration parameter is for.

So you only need to add to your config this line:
require_ocsp true

In order to test this, you need now a CA that supplies the OCSP stapling tickets to you (e.g. letsencrypt) and a server with TLS that sends them out, when the client asks for it.

Regarding Question 2:
Yes, in theory OCSP can help you here but that has nothing to do with the patch I wrote. I wrote the code for the client needing the OCSP information of the server, which needs to be transported through TLS. In your case the server needs to check the certificate of the client using revocation lists or OCSP directly.

Best regards,
Lars

Owner

LarsVoelker replied May 16, 2018

Hi Prashant!

Regarding Question 1:

Basically OCSP stapling works like this:

  • The client wants to check the server certificate using an OCSP stapling ticket. The client signals to the server that it needs that information inside TLS (CertificateStatusRequest, RFC6066 Section 8).
  • The server sends then the OCSP information to the client inside TLS (RFC6066 Section 8).
  • The client uses that information to validate the servers certificate. The client decides then to trust the connection or not, based on this.

So you basically need to have a way to make the client to require OCSP. This is what the configuration parameter is for.

So you only need to add to your config this line:
require_ocsp true

In order to test this, you need now a CA that supplies the OCSP stapling tickets to you (e.g. letsencrypt) and a server with TLS that sends them out, when the client asks for it.

Regarding Question 2:
Yes, in theory OCSP can help you here but that has nothing to do with the patch I wrote. I wrote the code for the client needing the OCSP information of the server, which needs to be transported through TLS. In your case the server needs to check the certificate of the client using revocation lists or OCSP directly.

Best regards,
Lars

This comment has been minimized.

Show comment
Hide comment
@lprashant-94

lprashant-94 May 16, 2018

Thank you Lars, your explanation is very helpful.

lprashant-94 replied May 16, 2018

Thank you Lars, your explanation is very helpful.

@gebi

This comment has been minimized.

Show comment
Hide comment
@gebi

gebi Jul 16, 2018

Any news on this?

gebi commented Jul 16, 2018

Any news on this?

@reikla

This comment has been minimized.

Show comment
Hide comment
@reikla

reikla Sep 11, 2018

Hi,
are here any news if the PR will get merged?

BR
reikla

reikla commented Sep 11, 2018

Hi,
are here any news if the PR will get merged?

BR
reikla

@MrIsaak

This comment has been minimized.

Show comment
Hide comment
@MrIsaak

MrIsaak Oct 19, 2018

Hi,
is it planned to merge this feature?

Best regards,
Viktor

MrIsaak commented Oct 19, 2018

Hi,
is it planned to merge this feature?

Best regards,
Viktor

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment