Update openssl bindings to allow client side OCSP stapling #1863

adiroiban · 2015-04-23T12:02:53Z

I am looking at implementing OCSP stapling for Twisted (https://twistedmatrix.com/trac/ticket/6802) so I am documenting the work items I have identified so far

Docs:

https://www.openssl.org/docs/ssl/SSL_CTX_set_client_cert_cb.html
I could not find the public docs for SSL_set_tlsext_status_type

OpenSSL client sample code: https://github.com/openssl/openssl/blob/master/apps/s_client.c#L1530

# Set extension and set callback 
SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);

static int ocsp_resp_cb(SSL *s, void *arg)
{
    const unsigned char *p;
    int len;
    OCSP_RESPONSE *rsp;
    len = SSL_get_tlsext_status_ocsp_resp(s, &p);
    BIO_puts(arg, "OCSP response: ");
    if (!p) {
        BIO_puts(arg, "no response sent\n");
        return 1;
    }
    rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
    if (!rsp) {
        BIO_puts(arg, "response parse error\n");
        BIO_dump_indent(arg, (char *)p, len, 4);
        return 0;
    }
    BIO_puts(arg, "\n======================================\n");
    OCSP_RESPONSE_print(arg, rsp, 0);
    BIO_puts(arg, "======================================\n");
    OCSP_RESPONSE_free(rsp);
    return 1;
}

The text was updated successfully, but these errors were encountered:

alex · 2015-04-23T12:15:55Z

Missing things:

adiroiban · 2015-04-23T13:53:49Z

I am not sure if we need OCSP_RESPONSE_print ... I think that we will need to decode the DER content and construct from in an OCSP response object.

I could only find the source code for it ... but come with no docstring :( https://github.com/openssl/openssl/blob/6ef869d7d0a9d2e7ea7908c0b5aab1cb451e00fa/crypto/ocsp/ocsp_prn.c#L186 ... good to see that the source file comes with a 60 lines long header

I think that we need a separate ticket for OCSP specific method and dedicate this ticket for OCSP TLS extension

adiroiban · 2015-04-23T14:00:21Z

Also, I am not sure if we want to use OpenSSL implementation for making an OCSP request.

We can have an initial implementation in pure python and then extend with low level support from various libraries.

eeshangarg · 2015-05-04T13:23:51Z

reaperhulk · 2015-05-13T21:19:38Z

with the merge of #1945 I think we can close this (as no one seems to want the OCSP bindings right now). We can open a new issue if required.

adiroiban mentioned this issue Apr 23, 2015

Update openssl bindings to allow server side OCSP stapling #1864

Closed

alex added good first issue bindings labels Apr 23, 2015

alex added this to the Ninth Release milestone Apr 23, 2015

eeshangarg mentioned this issue May 4, 2015

Add OpenSSL binding for SSL_get_tlsext_status_ocsp_resp #1901

Merged

eeshangarg mentioned this issue May 5, 2015

Add OpenSSL binding for SSL_set_tlsext_status_type #1905

Merged

reaperhulk mentioned this issue May 13, 2015

add SSL_set_tlsext_status_arg support #1945

Merged

reaperhulk closed this as completed May 13, 2015

github-actions bot locked as resolved and limited conversation to collaborators Aug 23, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update openssl bindings to allow client side OCSP stapling #1863

Update openssl bindings to allow client side OCSP stapling #1863

adiroiban commented Apr 23, 2015

alex commented Apr 23, 2015

adiroiban commented Apr 23, 2015

adiroiban commented Apr 23, 2015

eeshangarg commented May 4, 2015

reaperhulk commented May 13, 2015

Update openssl bindings to allow client side OCSP stapling #1863

Update openssl bindings to allow client side OCSP stapling #1863

Comments

adiroiban commented Apr 23, 2015

alex commented Apr 23, 2015

adiroiban commented Apr 23, 2015

adiroiban commented Apr 23, 2015

eeshangarg commented May 4, 2015

reaperhulk commented May 13, 2015