Re: [TLS] OCSP stapling problem
Rob Stradling <rob@sectigo.com> Wed, 19 December 2018 13:20 UTC
Return-Path: <rob@sectigo.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 706A9130934 for <tls@ietfa.amsl.com>; Wed, 19 Dec 2018 05:20:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=comodoca.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5H2hnOrvY_Du for <tls@ietfa.amsl.com>; Wed, 19 Dec 2018 05:20:54 -0800 (PST)
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (mail-eopbgr690057.outbound.protection.outlook.com [40.107.69.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00CE3128766 for <tls@ietf.org>; Wed, 19 Dec 2018 05:20:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comodoca.onmicrosoft.com; s=selector1-sectigo-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FiL6AHqLCBC2LuYmNXGpF7ad+5c7E12HqhXsw5c9PN8=; b=TypA75/0GMqeP1ccw016bEBoG33zZFGVa4njC/VAbiVDwiFYT7U2WsLoNFkt4vwdjAyAUPxW/l59/u2PArmllJTTRMVcvbNHd/2XsD6OpiquuaeJbKN1sKib45mXiJB3P/2LatDAzAJpzM0V/1EFaGHKt7GMeXE4rREmkp0FaJY=
Received: from BY2PR17MB0486.namprd17.prod.outlook.com (10.163.192.16) by BY2PR17MB0504.namprd17.prod.outlook.com (10.163.192.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1425.19; Wed, 19 Dec 2018 13:20:51 +0000
Received: from BY2PR17MB0486.namprd17.prod.outlook.com ([fe80::10df:28ff:5f9b:8e00]) by BY2PR17MB0486.namprd17.prod.outlook.com ([fe80::10df:28ff:5f9b:8e00%5]) with mapi id 15.20.1425.024; Wed, 19 Dec 2018 13:20:51 +0000
From: Rob Stradling <rob@sectigo.com>
To: "Salz, Rich" <rsalz@akamai.com>, "T.Tributh" <tls=40tributh.net@dmarc.ietf.org>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] OCSP stapling problem
Thread-Index: AQHUluFWYSczA2SwGEKxl1yyqA6JNKWEllsAgAAKF4CAAKNKgIAAsAYAgAAX0wCAAAHxgA==
Date: Wed, 19 Dec 2018 13:20:51 +0000
Message-ID: <9314a20a-fe11-825a-454f-20f3104d4b3c@sectigo.com>
References: <20181215162408.55DD3130DCD@ietfa.amsl.com> <597308EA-C2A0-4BC8-9BFF-AAC4E036F470@akamai.com> <20181218163448.2B642131170@ietfa.amsl.com> <043B351E-28A3-4981-8555-9D950FA2FF98@akamai.com> <8ee97d12-606c-f7a7-09a1-eecdd84807d1@sectigo.com> <B05F4EC2-9B1C-4587-B29F-4C8644476C16@akamai.com>
In-Reply-To: <B05F4EC2-9B1C-4587-B29F-4C8644476C16@akamai.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: CWLP265CA0293.GBRP265.PROD.OUTLOOK.COM (2603:10a6:401:5d::17) To BY2PR17MB0486.namprd17.prod.outlook.com (2a01:111:e400:5a20::16)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rob@sectigo.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2a02:1788:4ff:1000:f68e:38ff:fe7a:a226]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BY2PR17MB0504; 6:xSHcULqkuTYpBs+dunkCzuR3lhKSf4Yia6zvl7yujoFGxpqm2kgcZ153urI2EVKMVmA5I+dumXN4sokmukeCWI7NlJcl5PcqzPra67EfUGy4P/2jW4t/vyISDL7AsqwtZjgMUUSNNqYi2r/3wRtFu+zdGhsjrA0d7J1kZALTK9s+0clhMNz5vHuJFRTEdz+OaT4RaJ7iu8L9kzBVuKUIWjwE6027ZfQYYN/lnS0H8p05HOdUUZcW0xhBJjdjY5H/fOUY0DloSV2mMMEBMhTaGuQXIve3uhbF+cUsPs4c157msFrZ8bc1ILAahxXwdXqBNcTajlfHQIwGQoi5I1xMnr/Zd8KuRNiNp5SfaccTGPglPcOut+EJk9SfreAgC9i3wBoqqqMqFxNmfOV8D4oXDwFkvcgkGPMpfZ1LFj6FEXREBblQwEnHl81QbycAVbMWK8sO4Kb+8wJRt3CLg/7I+g==; 5:2EvfZMYP+JhnmIX7MfoaMtCGR+RaJUKQMxBV1ecebBNWoAnb4Fwx89BeHh6TotbRDix8x1edQYZRh6jn7Eb0yyrkSS6WIm0LCI1+2JNcc12A+GYSSJX9+92W2gA6KgULk0mE5IknRXgdKiRWNsjbyGNBL9qiHuKCte72WsA5rOo=; 7:xSSsJPifG2wX4azvzJAf2ybmGy6gO15OwDvevxoBzpTsH1P11McxCd2kuwCe9tmhF9EIFSgQmn5SyNCahlgbr9k0GUmduQ8C4uoddVJ+XAnlGdDObb2XkcxHzhObSqa5FX8+Yy+VJztyWL3UERTfuA==
x-ms-office365-filtering-correlation-id: 49855301-219a-443d-1723-08d665b4cc13
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:BY2PR17MB0504;
x-ms-traffictypediagnostic: BY2PR17MB0504:
x-microsoft-antispam-prvs: <BY2PR17MB05040D01D84C62DB67673019AABE0@BY2PR17MB0504.namprd17.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(3230021)(999002)(6040522)(2401047)(5005006)(8121501046)(3231475)(944501520)(52105112)(93006095)(93001095)(10201501046)(3002001)(148016)(149066)(150057)(6041310)(20161123562045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123558120)(201708071742011)(7699051)(76991095); SRVR:BY2PR17MB0504; BCL:0; PCL:0; RULEID:; SRVR:BY2PR17MB0504;
x-forefront-prvs: 0891BC3F3D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(136003)(376002)(346002)(366004)(39850400004)(199004)(189003)(446003)(6116002)(31686004)(256004)(11346002)(46003)(53936002)(93886005)(966005)(186003)(52116002)(8676002)(6506007)(53546011)(76176011)(486006)(386003)(81156014)(102836004)(81166006)(2501003)(36756003)(8936002)(2616005)(476003)(6246003)(105586002)(14454004)(6306002)(6512007)(229853002)(99286004)(106356001)(478600001)(305945005)(25786009)(71200400001)(5660300001)(71190400001)(7736002)(110136005)(86362001)(68736007)(97736004)(6436002)(316002)(2906002)(31696002)(6486002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR17MB0504; H:BY2PR17MB0486.namprd17.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: sectigo.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: kHNwBb6i2uW5IZqOpsqQA1WO37zblBAeacBIjApNRrk1Fx81kY9VbWqM8p3CgPZKVzmc32pkHUNPhMRkhZ9cc8L2crv37viEJ3yswxbPpzjG9ZejAKHmCHAb2686JtCdoKl2IP6cQjvvvXNoE/G1mvJzVe4ffjbw4AQG+N7DzQyJOE6cdGSsUX+/Ku31qDp0uphkxbDiHvaU/cdL5oE+0KHlD7xNFJSjKwxzzXdSbislCJK4HiiTQMacveoUO+jiur825IyA+VVTddqFnpm2+wpJZC0SgcrcSlESvrt33nop8SQQXRD0l1SAzq+puivr
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <A62FD8AD2301694AB138D884A258370C@namprd17.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: sectigo.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 49855301-219a-443d-1723-08d665b4cc13
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Dec 2018 13:20:51.4325 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0e9c4894-6caa-465d-9660-4b6968b49fb7
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR17MB0504
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_GH7I8lt31iu3AZEcsHggCJyLMo>
Subject: Re: [TLS] OCSP stapling problem
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Dec 2018 13:20:58 -0000
On 19/12/2018 13:13, Salz, Rich wrote: >> OpenSSL already has some support for Must-Staple: >> https://github.com/openssl/openssl/pull/495 > > Oops, yeah, you're aright. But it's not really documented and not hooked up to any popular server, is it? OpenSSL can parse it, but that's about it. I suspect that's true. What would hooking it up to a webserver look like, I wonder? Would the webserver automatically enable OCSP stapling if the server cert indicates Must Staple? Or would the webserver throw an error and refuse to start until the administrator has manually enabled OCSP stapling? -- Rob Stradling Senior Research & Development Scientist Sectigo Limited
- [TLS] OCSP stapling problem T.Tributh
- Re: [TLS] OCSP stapling problem Salz, Rich
- Re: [TLS] OCSP stapling problem T.Tributh
- Re: [TLS] OCSP stapling problem Salz, Rich
- Re: [TLS] OCSP stapling problem Rob Stradling
- Re: [TLS] OCSP stapling problem Salz, Rich
- Re: [TLS] OCSP stapling problem Rob Stradling
- Re: [TLS] OCSP stapling problem T.Tributh
- Re: [TLS] OCSP stapling problem Salz, Rich
- Re: [TLS] OCSP stapling problem Viktor Dukhovni
- Re: [TLS] OCSP stapling problem Viktor Dukhovni
- Re: [TLS] OCSP stapling problem Bill Frantz