Open pjdufour-dds opened 3 years ago
I'm looking into this now and have gathered some resource for those reading along:
Code Examples:
http://ocsp.disa.mil
or http://ocsp.managed.entrust.co m/OCSP/EMSSSPCAResponder
)@pjdufour-dds - there are two ways to approach this:
1) I could enable OCSP checks on every request 2) I could enable OCSP Stapling which would run in the background using a goroutine
The easy approach is to do this on every request, but there are known issues with that which is why stapling is preferred. However, the stapling approach is going to be a bit more complicated and might even warrant its own golang package for re-use on other projects. Do you have a preference here?
Also, assuming OCSP checking fails, I'm going to assume we want a soft fail approach with an optional flag for hard fail named --ocsp-hard-fail
. That would mimic what most folks seem to be doing online but I'd also love your thoughts on that.
Some golang OCSP staple modules I've run across:
That is some really good research! :)
Option 2 seems like the way to go and certainly do-able with a goroutine. I think where we'd want to do this is in the tls.Config.GetCertificate
method to return the server certificate with the OCSPStaple
field set. Hopefully, then the ServerHello response from the server with automatically include it.
I can't think of one deployment scenario where we'd want to hard fail when iceberg checks its own server certificate. Better to just not return a certificate in the ServerHello. However, it would be useful for testing, so I agree a separate hard fail flag would be useful. Same thing for "must staple". Good for testing, but unlikely we want to inherit the potential unreliability of the OCSP server.
For using OCSP to check client certificates, It'll might be more complicated, but can probably just keep a local cache.
Since we'd want to include checking of client certificates eventually, probably better to have the flags be --[server|client]-ocsp
rather than just --ocsp
. I think certainly think its fine to do server in its own PR first.
iceberg ... --server-ocsp https://ocsp.example.com --client-ocsp https://ocsp.example.com --client-ocsp-hard-fail
Add support for OCSP.
https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol