Support OCSP

[pjdufour-dds]

Add support for OCSP.

https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol

[chrisgilmerproj]

I'm looking into this now and have gathered some resource for those reading along:

• CloudFlare: High-reliability OCSP stapling and why it matters
• Wikipedia OCSP
• Wikipedia OCSP Stapling
• Golang crypto.tls Certificate.OCSPStaple
• Golang cyrpto.tls Conn.OCSP Response
• Golang crypto.tls Config.VerifyConnection - Potentially useful for embedding the OSCP check
• Golang crypto.ocsp module
• https://github.com/golang/go/issues/40017 - proposal: crypto/x509: implement OCSP verifier
• HackerNews on CRLs
• GopherCon 2019 - PKI for Gophers with OCSP slides
• OCSP Oops! Concerning challenges with OCSP Staples

Code Examples:

• https://github.com/golang/go/issues/30651 - Golang Issue: Support multiple OCSP Response/requests by paultag (relates to stuff we're probably doing with http://ocsp.disa.mil or http://ocsp.managed.entrust.co m/OCSP/EMSSSPCAResponder)
• Stack Overflow: golang sending ocsp request returns
• OCSP Staple Example

[chrisgilmerproj]

@pjdufour-dds - there are two ways to approach this:

1) I could enable OCSP checks on every request 2) I could enable OCSP Stapling which would run in the background using a goroutine

The easy approach is to do this on every request, but there are known issues with that which is why stapling is preferred. However, the stapling approach is going to be a bit more complicated and might even warrant its own golang package for re-use on other projects. Do you have a preference here?

Also, assuming OCSP checking fails, I'm going to assume we want a soft fail approach with an optional flag for hard fail named --ocsp-hard-fail. That would mimic what most folks seem to be doing online but I'd also love your thoughts on that.

[chrisgilmerproj]

Some golang OCSP staple modules I've run across:

• https://github.com/rolandshoemaker/stapled
• https://github.com/PennockTech/ocsprenewer

[pjdufour-dds]

That is some really good research! :)

Option 2 seems like the way to go and certainly do-able with a goroutine. I think where we'd want to do this is in the tls.Config.GetCertificate method to return the server certificate with the OCSPStaple field set. Hopefully, then the ServerHello response from the server with automatically include it.

I can't think of one deployment scenario where we'd want to hard fail when iceberg checks its own server certificate. Better to just not return a certificate in the ServerHello. However, it would be useful for testing, so I agree a separate hard fail flag would be useful. Same thing for "must staple". Good for testing, but unlikely we want to inherit the potential unreliability of the OCSP server.

For using OCSP to check client certificates, It'll might be more complicated, but can probably just keep a local cache.

Since we'd want to include checking of client certificates eventually, probably better to have the flags be --[server|client]-ocsp rather than just --ocsp. I think certainly think its fine to do server in its own PR first.

iceberg ... --server-ocsp https://ocsp.example.com --client-ocsp https://ocsp.example.com --client-ocsp-hard-fail