IETF Logo Mail Archive

Re: [TLS] OCSP stapling problem

"Salz, Rich" <rsalz@akamai.com> Wed, 19 December 2018 01:19 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE9761276D0 for <tls@ietfa.amsl.com>; Tue, 18 Dec 2018 17:19:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.766
X-Spam-Level:
X-Spam-Status: No, score=-2.766 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.065, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id guAfK7r3JGrW for <tls@ietfa.amsl.com>; Tue, 18 Dec 2018 17:19:12 -0800 (PST)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E5F1130DE8 for <tls@ietf.org>; Tue, 18 Dec 2018 17:19:12 -0800 (PST)
Received: from pps.filterd (m0122333.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id wBJ1IwYe014562; Wed, 19 Dec 2018 01:19:11 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=8U/N8Y9tW0H/t+SANAU1wZ1TYm7bYqKbF7VFyrQB8zw=; b=TMZyyyaMuTZUn1uKJp1qou8CDWwhNu0BUYkSO+ivvCCQAjnu6CRPgmemEWHv1OIQ1owV 0ZYpQaC5L1SKChq479cl9n4mNKGW5okg9sc3OlNQBiycFu34e/95JZFPsy7w3j4MN8RT +KwqQvxEuXHPFLGA7+tb4/hTFjnBbkT+pi79ZqJgeIyk/xBuikY6vW7+bejjpLGNQGK0 FyDF5YYK/ACImzjjs0Fzbkug+ScHp8nhndRLk/A99WwTmXxiXJo7KviNJR7knDjHi7cB RGIZdlLOdT671HUb7BSwfa24/MIcoZ3bBnNeHqFkt9GG/OYRRrW9fdlY191gKdIm7VtW fA==
Received: from prod-mail-ppoint1 (prod-mail-ppoint1.akamai.com [184.51.33.18]) by mx0a-00190b01.pphosted.com with ESMTP id 2pf1f3t17w-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 19 Dec 2018 01:19:11 +0000
Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1]) by prod-mail-ppoint1.akamai.com (8.16.0.21/8.16.0.21) with SMTP id wBJ1Hshd004153; Tue, 18 Dec 2018 20:19:09 -0500
Received: from email.msg.corp.akamai.com ([172.27.25.30]) by prod-mail-ppoint1.akamai.com with ESMTP id 2pcwtyufwv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 18 Dec 2018 20:19:08 -0500
Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com (172.27.27.101) by ustx2ex-dag1mb4.msg.corp.akamai.com (172.27.27.104) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Tue, 18 Dec 2018 19:18:30 -0600
Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com ([172.27.6.131]) by ustx2ex-dag1mb1.msg.corp.akamai.com ([172.27.6.131]) with mapi id 15.00.1365.000; Tue, 18 Dec 2018 19:18:30 -0600
From: "Salz, Rich" <rsalz@akamai.com>
To: "T.Tributh" <tls=40tributh.net@dmarc.ietf.org>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] OCSP stapling problem
Thread-Index: AQHUluFTjOFLsO6XyUC+wFqi0VfWkaWEpx8AgABd6ICAAE95gA==
Date: Wed, 19 Dec 2018 01:18:29 +0000
Message-ID: <043B351E-28A3-4981-8555-9D950FA2FF98@akamai.com>
References: <20181215162408.55DD3130DCD@ietfa.amsl.com> <597308EA-C2A0-4BC8-9BFF-AAC4E036F470@akamai.com> <20181218163448.2B642131170@ietfa.amsl.com>
In-Reply-To: <20181218163448.2B642131170@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.14.0.181208
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.40.209]
Content-Type: text/plain; charset="utf-8"
Content-ID: <33FB2EEF5ED70B44BF0F24CA98AB3671@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-12-19_01:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=926 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1812190009
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-12-19_01:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=922 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1812190009
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/3_UZUmuhh-0o-5ACtyqUnJH31WU>
Subject: Re: [TLS] OCSP stapling problem
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Dec 2018 01:19:14 -0000

>    The "exim" server claims to support stapling (for incoming connections)
  
Yes, which isn't what I asked.
  
>    The Must-Staple belongs to the certificate which was requested
    including "1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05"
    in the CSR.
  
Does the exim server understand that extension?  If, for example, exim was built with OpenSSL, then it does not handle that extension.  What TLS stack was the server built with?

>    OCSP Must-Staple certificates are getting more popular.

FWIW, I have not noticed this, but maybe I'm looking in the wrong places.  On the other hand, nobody has raised the issue, nor made a pull request, with OpenSSL, so it can't be very popular yet. 

	/r$

v2.23.0 | Report a Bug | By Email