Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add OCSP Stapling #1275

Closed
wants to merge 2 commits into from
Closed

Add OCSP Stapling #1275

wants to merge 2 commits into from

Conversation

maximilianfridrich
Copy link
Contributor

@maximilianfridrich maximilianfridrich commented Feb 17, 2025
edited
Loading

The test only checks for basic functionality. This was tested successfully manually with a real TLS server which provides OCSP stapling responses (duck.com:443).

Related:

@sreimers
Copy link
Member

Not sure about this, OCSP is more and more disabled and CRLs are recommended for privacy reasons.

https://letsencrypt.org/2024/12/05/ending-ocsp/

@maximilianfridrich
Copy link
Contributor Author

maximilianfridrich commented Feb 17, 2025
edited
Loading

You're right, some CAs move away from OCSP (even OCSP stapling). Let's Encrypt for example can afford this because they operate very efficiently by enforcing ACME and only issuing short-lived certificates. Not everyone is in such a position (yet) where they can afford to drop OCSP and instead only use CRLs which has its own (long) list of drawbacks.

Certificate revocation is still a difficult topic with no clear cut solution.

RFC 9325 (section 7.5) provides some guidance and does suggest OCSP, particularly OCSP stapling since it solves the privacy issues around OCSP.

Per default, this is disabled, so no-one has to use it if they don't want to.

@maximilianfridrich maximilianfridrich marked this pull request as draft February 17, 2025 10:46
@maximilianfridrich maximilianfridrich force-pushed the ocsp_stapling branch 4 times, most recently from 85c2afc to d95fa1c Compare February 17, 2025 12:10
@maximilianfridrich maximilianfridrich mentioned this pull request Feb 17, 2025
Closed
@maximilianfridrich maximilianfridrich marked this pull request as ready for review February 17, 2025 12:15
@maximilianfridrich maximilianfridrich marked this pull request as draft February 21, 2025 13:07
alfredh
alfredh reviewed Feb 27, 2025
View reviewed changes
alfredh
alfredh reviewed Feb 27, 2025
View reviewed changes
src/tls/openssl/ocsp.c
*cert = SSL_get1_peer_certificate(ssl);
#else
*cert = SSL_get_peer_certificate(ssl);
#endif
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could this be a good time to drop support for OpenSSL 1.1.1 ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm pretty sure we still have systems using OpenSSL 1.1.1.

If you want to discuss this, I think opening a GitHub discussion in baresip or re and tagging all major contributors and all maintainers could be good.

alfredh
alfredh reviewed Feb 27, 2025
View reviewed changes
src/tls/openssl/tls.c Outdated
*
* @return 0 if success, otherwise errorcode
*/
int tls_set_ocsp_stapling(struct tls *tls, const enum tls_ocsp_stapling mode)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

have this been tested with LibreSSL ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At least through the retest, yes. Initially, I had used some OpenSSL functions which were not supported by LibreSSL, and the retest showed this, so I refactored it. So I'm pretty sure that this also works with LibreSSL.

@alfredh
Copy link
Contributor

alfredh commented Mar 11, 2025

it looks like the run-on-arch job is failing:

  Segmentation fault (core dumped)

Should we try to switch to ubuntu-arm image instead ?

@maximilianfridrich
Copy link
Contributor Author

maximilianfridrich commented Mar 11, 2025
edited
Loading

Thanks @ everyone for the feedback and patience. As mentioned in the BareSIP PR, I will close this and we will look into a CRLDP implementation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alfredh alfredh alfredh left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@maximilianfridrich @sreimers @alfredh