IETF Logo Mail Archive

Re: [TLS] OCSP stapling problem

"Salz, Rich" <rsalz@akamai.com> Wed, 19 December 2018 17:19 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8550A130E6E for <tls@ietfa.amsl.com>; Wed, 19 Dec 2018 09:19:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.766
X-Spam-Level:
X-Spam-Status: No, score=-2.766 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.065, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XMK8AyKDzkqh for <tls@ietfa.amsl.com>; Wed, 19 Dec 2018 09:19:17 -0800 (PST)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0290F130E76 for <tls@ietf.org>; Wed, 19 Dec 2018 09:19:16 -0800 (PST)
Received: from pps.filterd (m0122333.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id wBJHHe1S009736; Wed, 19 Dec 2018 17:19:16 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=q/TikojfAI0IFZcBbbh5iZ6RnBc7a5DbTt01d1eBtqY=; b=HSNV7fcK1sstQDuZvCT9eH29Fqk/LGNm7oqCGw6uWi2mb02BK0uXNeTa8mB7DILpbMVO dWa/8is0K2ArljtDuFCLrv5aoRZYbC7CiCnwnvviQ4SwANhwHEFVENF3xcLBugxFuZj0 Dr7GrPgyg4Ha+s3RaAyk4/J0vfqU5an6hodudndCXXR4moBi+ds7J/KmK0JHRc0Id3fg B9DUjOEnuetYVtTYa5bUzouYtRt+zNOPJ71VEY+buQabm6f9Lkym8zcdORQVX5YOteMk KcNk9HsS2hYm52/EGPqkiFmw8rHuX5rGKmRx/LDrf6SjwlSEINaRi09JtcRhtNkRqxIp Gg==
Received: from prod-mail-ppoint1 (prod-mail-ppoint1.akamai.com [184.51.33.18]) by mx0a-00190b01.pphosted.com with ESMTP id 2pf1f3vdhv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 19 Dec 2018 17:19:16 +0000
Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1]) by prod-mail-ppoint1.akamai.com (8.16.0.21/8.16.0.21) with SMTP id wBJHHXEV006946; Wed, 19 Dec 2018 12:19:14 -0500
Received: from email.msg.corp.akamai.com ([172.27.25.33]) by prod-mail-ppoint1.akamai.com with ESMTP id 2pcwtyxxr7-11 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 19 Dec 2018 12:19:14 -0500
Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com (172.27.27.101) by ustx2ex-dag1mb4.msg.corp.akamai.com (172.27.27.104) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Wed, 19 Dec 2018 11:19:06 -0600
Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com ([172.27.6.131]) by ustx2ex-dag1mb1.msg.corp.akamai.com ([172.27.6.131]) with mapi id 15.00.1365.000; Wed, 19 Dec 2018 11:19:06 -0600
From: "Salz, Rich" <rsalz@akamai.com>
To: "T.Tributh" <tls=40tributh.net@dmarc.ietf.org>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] OCSP stapling problem
Thread-Index: AQHUluFTjOFLsO6XyUC+wFqi0VfWkaWEpx8AgABd6ICAAE95gIABA+EA///D+ACAAFXMgIAAGDCA///WjoA=
Date: Wed, 19 Dec 2018 17:19:05 +0000
Message-ID: <758F7E66-27D4-4D88-AC57-EA4ED841876A@akamai.com>
References: <20181215162408.55DD3130DCD@ietfa.amsl.com> <597308EA-C2A0-4BC8-9BFF-AAC4E036F470@akamai.com> <20181218163448.2B642131170@ietfa.amsl.com> <043B351E-28A3-4981-8555-9D950FA2FF98@akamai.com> <8ee97d12-606c-f7a7-09a1-eecdd84807d1@sectigo.com> <B05F4EC2-9B1C-4587-B29F-4C8644476C16@akamai.com> <9314a20a-fe11-825a-454f-20f3104d4b3c@sectigo.com> <20181219144731.8F555124BE5@ietfa.amsl.com>
In-Reply-To: <20181219144731.8F555124BE5@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.14.0.181208
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.34.47]
Content-Type: text/plain; charset="utf-8"
Content-ID: <2FD303D869B0A74291DA77E60870E2D5@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-12-19_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=872 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1812190143
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-12-19_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=874 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1812190143
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/OFKP2RskQjhutMv97JpjYjV4BJo>
Subject: Re: [TLS] OCSP stapling problem
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Dec 2018 17:19:30 -0000

>    Shall I open a ticket for openssl?
    GnuTLS seems also not be able to staple the status_response when in
    client mode.
  
Feel free.  One possible result is that the OpenSSL maintainers will say that this is more about integration for the different servers that accept client certificates. But it seems there is at least a documentation issue in OpenSSL.

v2.23.0 | Report a Bug | By Email