[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
wget2 | Several OCSP improvements (!513)
From: |
Ander Juaristi (@juaristi) |
Subject: |
wget2 | Several OCSP improvements (!513) |
Date: |
Sat, 24 Sep 2022 17:56:21 +0000 |
Ander Juaristi created a merge request:
https://gitlab.com/gnuwget/wget2/-/merge_requests/513
Branches: aj-check-ocsp-at-end to master
Author: Ander Juaristi
Assignee: Ander Juaristi
Reviewer: Tim Rühsen
This MR solves two major pain points on the OpenSSL backend. We move on-line
OCSP verification out of the `openssl_revocation_check_fn` callback, and we
take into account stapled responses sent by the server and avoid sending OCSP
requests for those (#578).
We are doing OCSP verification in the `openssl_revocation_check_fn` callback.
This callback is not the best place to check OCSP because the peer's X.509 cert
stack that we get there is incomplete, and cannot be fully trusted. Hence, we
move OCSP checking to the end of the `wget_ssl_open` function, just after the
TLS handshake has successfully completed. At that point we do have the full,
verified, cert stack (can be obtained with `SSL_get0_verified_chain`).
In addition, the fact that the on-line OCSP checks for the certificates were
being carried out after the handshake completed caused that any stapled OCSP
response sent by the server was not taking into account (all certificates were
being OCSP-checked regardless of there was a stapled response for any of them
or not). This was also happening before, when we used the
`openssl_revocation_check_fn` callback, because it was always called after the
OCSP verification callback. Hence, we create a vector and store all the stapled
OCSP responses we receive, and then, during on-line OCSP verification, we check
if a stapled response exists for each certificate before contacting OCSP
servers.
### Approver's checklist:
* [ ] The author has submitted the FSF Copyright Assignment and is listed in
AUTHORS
* [ ] There is a test suite reasonably covering new functionality or
modifications
* [ ] Function naming, parameters, return values, types, etc., are consistent
with existing code
* [ ] This feature/change has adequate documentation added (if appropriate)
* [ ] No obvious mistakes / misspelling in the code
--
Reply to this email directly or view it on GitLab:
https://gitlab.com/gnuwget/wget2/-/merge_requests/513
You're receiving this email because of your account on gitlab.com.
- wget2 | Several OCSP improvements (!513),
Ander Juaristi (@juaristi) <=
- Re: wget2 | Several OCSP improvements (!513), @rockdaboot, 2022/09/25
- Re: wget2 | Several OCSP improvements (!513), @rockdaboot, 2022/09/25
- Re: wget2 | Several OCSP improvements (!513), @rockdaboot, 2022/09/25
- Re: wget2 | Several OCSP improvements (!513), Ander Juaristi (@juaristi), 2022/09/30
- Re: wget2 | Several OCSP improvements (!513), Ander Juaristi (@juaristi), 2022/09/30