Re: [TLS] OCSP stapling problem
"T.Tributh" <tls@tributh.net> Wed, 19 December 2018 14:47 UTC
Return-Path: <tls@tributh.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2BD1126DBF for <tls@ietfa.amsl.com>; Wed, 19 Dec 2018 06:47:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.701
X-Spam-Level:
X-Spam-Status: No, score=-1.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (4096-bit key) reason="fail (message has been altered)" header.d=tributh.net header.b=g9q7Ox7y; dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=tributh.net header.b=qqZZJWSx
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ynEYX0h44IzG for <tls@ietfa.amsl.com>; Wed, 19 Dec 2018 06:47:31 -0800 (PST)
Received: from mx02.tributh.net (mx02.tributh.net [IPv6:2a00:dca0:100:5:c0de:ba5e:dead:c0de]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F555124BE5 for <tls@ietf.org>; Wed, 19 Dec 2018 06:47:31 -0800 (PST)
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=tributh.net; s=rfc8301; b=ZJRHwl0NYhagaeLEicLRKGvK+TL67FehBL2yKVqkk3Wi2YQVrHzZLVVz64Vwn0FGYvO22ghdYv NqvV5IAQNkeEQXWIbY1UJTiBvLUzvCptuk3DmTYWMJC+4kvWcPe4iTNCeIcIkI0qQl78KmUudy YqruT+ge+xJfZlQGE4Smr+E6Rp5r6k+DL0i9aKtRH0zGApU4rzMGPWEIlfszXROydtBhJOfpDt w4j1zFQWNLkqgUGKQtZMTYrLrz0y8oG+PeQb70+pogZuhKLruWU+fFwQUEq+lxrgtlXINHhYpK BoF1ghEhZiXZCTndpzaohms7tRPs/pxsld8JtxNm816Va+8QRLwJk4sACFAmcBj13adwBB45T3 Fm36X68SEHpf2QEdQZWaZdaZus76Wf/zNVg6zaa9fkx6Hszf0Uax+wGwKCTqAGAUO3CG0aA2cA V/Mds6UFI7cjo7x+NBF1PReq4HowfcFkW2SAt2HbCJocHt2uNbAvCqeRhumiY0PPZFV644QEBg M3FlsUC/l8uc2nvr2Rmf3Bw5xIYpw9yk/NFzV3AAg00BwlmEBFfqiN7bA1T2HnTGAQMu12nIkV BlMOQnCadE2WxyK6PuQ7hu6ANbiwoZ98eXIrWEeL4GGWo+3tfr/Dl7qoXHLkGlkQWytzL4Ws2v Jd8kjk1B4LqLDPEcs=;
ARC-Authentication-Results: i=1; tributh.net; iprev=pass; auth=pass
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed; d=tributh.net; s=rfc8301; bh=g5bviC6Dy/7nob3u1e5yTcI6tDxSQYROFF9ZzkIcaTA=; h=MIME-Version:Content-Transfer-Encoding:Content-Type:In-Reply-To:Date:From: References:To:Subject:DKIM-Signature:DKIM-Signature; b=HoN4xJ1Thz7NKq/saN8g/fhT1PbKgtRCe7UKlI1SJeDaEE0plqpBJB/0w+tJZPUy4mdxXPuMcd sR6W8c21C3E4RsLC3zLN/HmHgGa9LwYLjKmhxKfP+hDSxi98Z6vwXCOWO7oCUoy4+xxu1ok0tB 6yNioP/DsV0ub9/8+GpEhxRmJIgZBMWJn3FRfWHz1qG8edUkvL8CeiWlJTwGRYc+PLbsZ0bC84 bIxTkcZji3NMS5f0WU5zm43c6zhsyX70k0Y2FQpyxfBx0Ur/T5B3esYI709nvyC2TEJJAWdWFi ewrfoJLwT3yXk6Xcbz+RFHUI+iHnGLZXKh9/wWaa3gEk52Me+OTmfx5KCH00U+mlmKgogQDFiE hgT3rWJ2O2UvweyflrGHG3EaVF3vGG6qpnibHNiHJuLe5HSFPpPTr2gLp3HGrwzz0chHway/YQ W0uqPdKHLlqTWFVpf1Vua/wxmRIbWen/ZTRuMVWJzzUpWlWNfybTTHB654Z0R4yaCDhMYergV7 0FwEODZFc+172kFTVHdIp4GZ9hwPlgzm5zSj2z7/AlHYH/mPjhijap7NvBuuxCHXI0UNCgr+yX zQXzuMy2eoeoJPSCXwcQ+qcOHhAVBQFJZxENQbAshwxCvkr+VfguuMOyGEi9TcHttLNlnG0hOb vnB+II/1/A4H0g0vw=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=simple/simple; d=tributh.net; s=rfc8301; h=MIME-Version:Content-Transfer-Encoding:Content-Type:In-Reply-To :Date:From:References:To:Subject:Sender:Reply-To:Message-ID:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=g5bviC6Dy/7nob3u1e5yTcI6tDxSQYROFF9ZzkIcaTA=; i=@tributh.net; b=g9q7Ox7yRZ oBxFETEhPTJaPfx2+ZMFiqO5ZuMCTjTEEM8iKSJwOA+t0qyatPc+r4BcOZo5WUKYYFTgthWT22kGu 1mEIMSDVZoEkGaXOVR4reEY1Fb/8yj8YQP1OQqhfSx8Wze5JDQ/RGTnPrx9MKgX4ZfHeyg8XN03TO 0K02D52ZEW7wktvlEju/XYN7d08wdnk3AxYHZKP0ArGVutwpuuiCaum17YSI9mJWbt1ad9OEsUBhT 9T+NSDz5RSswt04Ud8pWnFEtwMrIVsTRzMzyMM++glzWY/N4/7qsQ+FzQ3VOEg/02Ncnr+8nZu5oU 0ZkDczrFSlYpkNVpYKVOa/0UKljnMoMpjysgWroP/sx2aLTBa9r7LZdeUaRZtDFL6pdn2AaQEfVVz zxI5qKGgye0LJUZiF20WLOmZYgmJiUf/bnYkN0YmnGGnSuUCSnGIYnusX5muNWks1SiEBRjJM408F oLRlEFJm3X8W0hzLwLZWUiC9JWldVOad0rHalflgIYq05qPHo1Y6ypzVsal6criyblzBMNxJ3YtWH qsKYgWmtiNUDBVh1ZgO2dZ/OMTiGW9BPOidS5HksnTOJJre2C1ZHFjpoyi8vdYoEOeUeaOV2ITHsj luYTBqLtaB4DkoMrtDYI0o75ivwcbZd+KuATnk/qFDo0uNAScNR6cUkBU=;
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=simple/simple; d=tributh.net; s=rfc8463; h=MIME-Version:Content-Transfer-Encoding: Content-Type:In-Reply-To:Date:From:References:To:Subject:Sender:Reply-To: Message-ID:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=g5bviC6Dy/7nob3u1e5yTcI6tDxSQYROFF9ZzkIcaTA=; i=@tributh.net; b=qqZZJWSxO5 Z1cZeymXo56a8mFrAGH9sKsH9kIL26YOUhiiRoZB+jI1QIIlXBdyuGAUcNgjo5xzdEtes1jebHCA= =;
Authentication-Results: tributh.net; iprev=pass; auth=pass
To: tls@ietf.org
References: <20181215162408.55DD3130DCD@ietfa.amsl.com> <597308EA-C2A0-4BC8-9BFF-AAC4E036F470@akamai.com> <20181218163448.2B642131170@ietfa.amsl.com> <043B351E-28A3-4981-8555-9D950FA2FF98@akamai.com> <8ee97d12-606c-f7a7-09a1-eecdd84807d1@sectigo.com> <B05F4EC2-9B1C-4587-B29F-4C8644476C16@akamai.com> <9314a20a-fe11-825a-454f-20f3104d4b3c@sectigo.com>
From: "T.Tributh" <tls@tributh.net>
Date: Wed, 19 Dec 2018 15:47:25 +0100
In-Reply-To: <9314a20a-fe11-825a-454f-20f3104d4b3c@sectigo.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
"Message-Id: <1gZd8B-0004j0-Kg@tributh.net>"
Message-Id: <20181219144731.8F555124BE5@ietfa.amsl.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/q0F6EQ_ZzzRWHA6oXOZwESZ_nGw>
X-Mailman-Approved-At: Wed, 19 Dec 2018 09:14:42 -0800
Subject: Re: [TLS] OCSP stapling problem
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Dec 2018 14:47:34 -0000
Am 19.12.18 um 14:20 schrieb Rob Stradling: > On 19/12/2018 13:13, Salz, Rich wrote: >>> OpenSSL already has some support for Must-Staple: >>> https://github.com/openssl/openssl/pull/495 >> >> Oops, yeah, you're aright. But it's not really documented and not hooked up to any popular server, is it? OpenSSL can parse it, but that's about it. > > I suspect that's true. > > What would hooking it up to a webserver look like, I wonder? Would the > webserver automatically enable OCSP stapling if the server cert > indicates Must Staple? Or would the webserver throw an error and refuse > to start until the administrator has manually enabled OCSP stapling? > Let me answer also some previously questions: The problem exists on an exim server. Exim is compiled with openssl 1.1.1a Their is an 384bit-Ecdsa Certtificate from letsencrypt with Must-Staple enabled in place. The config adds a staple file with the status_response from letsencrypt-OCSP server. This part works very well without any issues. To check the functionality, their was openssl commandline, https://hardenize.com & Thunderbird as mailclient. Thunderbird (recent version) refuses to establish a TLS connection, when the stapling file is not added as an extension to the certificate. OCSP-Must-Staple certificates work also very well on apache & nginx. Nginx starts without any issue when stapling is not enabled, but Firefox & Chrome will fail to connect with TLS errors. Other browsers may behave similar. Shall I open a ticket for openssl? GnuTLS seems also not be able to staple the status_response when in client mode. Have I missed to clarify something? Torsten
- [TLS] OCSP stapling problem T.Tributh
- Re: [TLS] OCSP stapling problem Salz, Rich
- Re: [TLS] OCSP stapling problem T.Tributh
- Re: [TLS] OCSP stapling problem Salz, Rich
- Re: [TLS] OCSP stapling problem Rob Stradling
- Re: [TLS] OCSP stapling problem Salz, Rich
- Re: [TLS] OCSP stapling problem Rob Stradling
- Re: [TLS] OCSP stapling problem T.Tributh
- Re: [TLS] OCSP stapling problem Salz, Rich
- Re: [TLS] OCSP stapling problem Viktor Dukhovni
- Re: [TLS] OCSP stapling problem Viktor Dukhovni
- Re: [TLS] OCSP stapling problem Bill Frantz