Natanael Mignon - michael-wessel.de wrote:
> Hello Steve, dear list,
> inspired by https://issues.apache.org/bugzilla/show_bug.cgi?id=43822 (OCSP
> stapling support for mod_ssl) I dare asking, if this patch might solve a
> requirement we face at the moment:
> We do client authentication with certificates in Apache/mod_ssl (working as
> SSL-reverse-proxy) and we do require validation via OCSP. In order to avoid
> thousands of OCSP requests within short time, the system must provide an OCSP
> request cache, i.e. the situation is a little different from what the
> stapling patch is intended to do - but if we see Apache itself as a "client",
> it would be fitting.
> On basis of Apache 2.3 (for all the OCSP handling...) we have done some
> customizations already (thanks for your help on openssl-users!), so including
> the stapling patch would be welcome. I was wondering, if you had any ideas
> regarding this question that could help us? I'll look at the code now and try
> to apply the patch.
> Any thoughts and help welcome. Thanks in advance!
First comment to list in general: any comments on what needs to be done to get
the OCSP stapling patch accepted? I've rewritten the original version to
incorporate all suggestions and answered all the queries in the report. It
probably needs updating, any other issues?
Now to the actual query, if I understand it correctly. That patch works in
reverse to your problem. It is designed to stop thousands of OCSP requests from
SSL clients connecting to an Apache server and all simultaneously slamming an
OCSP responder attempting to check the status of that server certificate.
One option would be to add stapling client support if you wanted to use OCSP
stapling. That would however only work if the servers the proxy connected to
also supported OCSP stapling.
Another option would be to use a local caching OCSP responder which queries the
remote responder to get an initial response and just serves that up until it
needs to be renewed.
What I think you are trying to do is to include a cache for OCSP queries the
proxy itself makes which is IMHO the best solution. So instead of always
consulting the OCSP responder it instead checks the cache to see if there is a
valid OCSP response in there, if it is expired or invalid then and only then
would it renew the response by making an actual query. Doing things that way
doesn't need OCSP stapling support in the server(s).
If that's correct then you could reuse some of the OCSP response query and
caching code in the stapling patch. It implements similar functionality.
Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute: www.oss-institute.org
OpenSSL Core team: www.openssl.org