Opened 14 months ago

Last modified 6 weeks ago

#6802 enhancement new

TLS: support OCSP stapling

Reported by: oberstet Owned by:
Priority: normal Milestone:
Component: core Keywords: TLS, pyOpenSSL, OCSP
Cc: Branch:
Author: Launchpad Bug:

Description

Quoting from [here]http://en.wikipedia.org/wiki/OCSP_stapling

OCSP stapling, formally known as the TLS Certificate Status Request extension, is an alternative approach to the Online Certificate Status Protocol (OCSP) for checking the revocation status of X.509 digital certificates.

In short, this provides two advantages:

The TLS extensions is defined in [this RFC]http://tools.ietf.org/html/rfc6066#section-8 and supported by a few servers like [Nginx]http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling.

In OpenSSL, there once was a [vulnarability]https://www.rapid7.com/db/vulnerabilities/http-openssl-cve-2011-0014 that got fixed [here]http://www.openssl.org/news/secadv_20110208.txt.

For OpenSSL based servers, usage can be seen here:

Providing support for OCSP stapling in Twisted would be great, though non-trivial. A prerequisite would be exposing the relevant bits in pyOpenSSL.

Some more info:

Change History (1)

comment:1 Changed 6 weeks ago by hynek

Given https://www.imperialviolet.org/2014/04/19/revchecking.html I find this rather low-priority.

Note: See TracTickets for help on using tickets.