Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ocsp proxy support feature request #6965

Closed
plaintextcity opened this issue Aug 15, 2018 · 11 comments
Closed

ocsp proxy support feature request #6965

plaintextcity opened this issue Aug 15, 2018 · 11 comments
Labels
branch: master Merge to master branch triaged: feature The issue/pr requests/adds a feature

Comments

@plaintextcity
Copy link

Proxy support in s_client is a welcome addition and helpful for troubleshooting. In order to troubleshoot connection issues (walking through Ivan Ristic's OpenSSL Cookbook "Testing with OpenSSL") it would be helpful to have the equivalent -proxy support from s_client in ocsp.
@mattcaswell mattcaswell added this to the Post 1.1.1 milestone Aug 20, 2018
@dcooper16 dcooper16 mentioned this issue Aug 22, 2018
Open
@DanielOatAWS
Copy link

Ping. Can you please confirm that 'ocsp' module cannot work behind a proxy, and if so, maybe see about prioritising this feature request (if possible at all)?

@t8m
Copy link
Member

t8m commented May 12, 2021

@DDvO is this somehow handled already in your http client improvements in the current master?

@DDvO
Copy link
Contributor

DDvO commented May 12, 2021
edited

So far I was not aware of this FR; thanks @t8m for pointing me to it.

I've added proxy support to the OpenSSL crypto lib already 1.5 years ago in PR #10667 (commit 29f178b).
This was driven by supporting HTTP(S) proxies for CMP, but this way HTTP(S) proxies were already implicitly usable for the ocsp and s_server apps by setting the environment variables http_proxy etc.
It would be straightforward to make explicit use of this for both these CLI apps.

Yet I wonder if this FR makes sense for the s_client app - does this use (classical/plain) OCSP at all, where an HTTP(S) proxy can be of interest?
For s_client I can see only the optional use of OCSP stapling (i.e., the TLS cert status extension),
which reuses the (TCP, HTTP or whatever) connection itself for which TLS is being set up.

@DDvO DDvO mentioned this issue May 12, 2021
Closed
2 tasks
@DDvO
Copy link
Contributor

DDvO commented May 12, 2021
edited

I just added explicit HTTP(S) proxy support to the OCSP client part of the ocsp and s_server apps in #15245.
Is that what was actually desired in this FR?

DDvO added a commit to siemens/openssl that referenced this issue May 14, 2021
@DDvO
apps/s_server: Add -proxy and -no_proxy options
972e0fa 
Strongly related to feature request openssl#6965
@t8m t8m removed this from the Post 1.1.1 milestone May 17, 2021
@t8m t8m added triaged: feature The issue/pr requests/adds a feature branch: master Merge to master branch labels May 17, 2021
openssl-machine pushed a commit that referenced this issue May 18, 2021
@DDvO
apps/s_server: Add -proxy and -no_proxy options
80a4ac5 
Strongly related to feature request #6965

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from #15245)
@DDvO
Copy link
Contributor

DDvO commented May 19, 2021

@plaintextcity, @ounsworth, @THausherr, @DanielOatAWS, and @drwetter, did #15245 solve the issue for you?

@drwetter
Copy link
Contributor

To me it seems so. Thanks!

@THausherr
Copy link

I can't comment, I'm not sure why I bookmarked this. Most likely I had to troubleshoot some https connection at work years ago.

@DDvO
Copy link
Contributor

DDvO commented May 19, 2021

I can't comment, I'm not sure why I bookmarked this. Most likely I had to troubleshoot some https connection at work years ago.

Thanks anyway for letting us know.

@ounsworth
Copy link

@DDvO Neat, I had forgotten about this thread.

If I remember correctly, at the time I was fuzz testing an OCSP server and I was looking for an easy way to capture valid OCSP requests in a proxy like Burp or OWASP ZAP so that I could then inject broken ASN.1.

I would be happy to test this, but I've never done openssl dev before, so I'll need instructions for getting the nightly build or building your dev branch.

@DDvO
Copy link
Contributor

DDvO commented May 21, 2021

@DDvO Neat, I had forgotten about this thread.

If I remember correctly, at the time I was fuzz testing an OCSP server and I was looking for an easy way to capture valid OCSP requests in a proxy like Burp or OWASP ZAP so that I could then inject broken ASN.1.

Interesting use case.
So apparently you were using the OCSP client portion of the ocsp app.
For this the -proxy option should have helped.

I would be happy to test this, but I've never done openssl dev before, so I'll need instructions for getting the nightly build or building your dev branch.

Thanks @ounsworth for offering to test this.
According to what we just wrote above, I'm confident that the fix would have helped,
so I don't see the need for testing with your use case.
If you still wanna try it out, you could take yesterday's alpha release from https://www.openssl.org/source/,
which can be built as usual.

@t8m
Copy link
Member

t8m commented May 21, 2021

I am closing this. A new issue can be opened if there is still anything missing with the proxy support in ocsp.

@t8m t8m closed this as completed May 21, 2021
devnexen pushed a commit to devnexen/openssl that referenced this issue Jul 7, 2021
@DDvO @devnexen
apps/s_server: Add -proxy and -no_proxy options
f4c79ed 
Strongly related to feature request openssl#6965

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#15245)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
branch: master Merge to master branch triaged: feature The issue/pr requests/adds a feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@DDvO @ounsworth @THausherr @t8m @mattcaswell @drwetter @plaintextcity @DanielOatAWS