OCSP stapling limitations (was Re: [PATCH 0 of 4] OCSP stapling)
Maxim Dounin
mdounin at mdounin.ru
Sun Oct 6 10:14:10 UTC 2013
Hello!
On Fri, Oct 04, 2013 at 01:25:25PM +0100, Rob Stradling wrote:
> On 05/09/12 12:14, Maxim Dounin wrote:
> >Hello!
> >
> >Here are patches for OCSP stapling support. Testing and
> >review appreciated.
> <snip>
> >Known limitations:
> >
> >- Unless externally set OCSP response is used (via the "ssl_stapling_file"
> > directive), stapled response won't be sent in a first connection. This
> > is due to the fact that OCSP responders are currently queried by nginx
> > once it receives connection with certificate_status extension in ClientHello,
> > and due to limitations in OpenSSL API (certificate status callback is
> > blocking).
>
> Hi Maxim. This limitation is turning out to be a problem, for
> several reasons:
>
> 1. In some situations, the limitation appears to be amplified -
> there are more "first connections" than you might expect. Netcraft
> reported [1] that:
> "Fewer than 50% of the CloudFlare IP addresses responded with an
> OCSP response stapled on the first non-discarded connection attempt.
> Even after 20 requests, the response rate is not consistent, some IP
> addresses still fail to staple an OCSP response on each and every
> SSL connection. This inconsistent behaviour may be down to a number
> of separate machines responding to the same IP address either in
> different locations, or behind a load balancer."
It's believed to be related to a number of hosts CloudFlare uses
for each https domain and the fact that domains checked by
Netcraft are mostly unused. Piotr Sikora may be able to provide
more info.
I don't think this is a problem for ordinary uses of OCSP
stapling, as for unused domains optimization provided by OCSP
stapling doesn't really matter.
If it turns out to be a real problem - an obvious way to improve
things is to provide a cache for OCSP responses shared between
worker processes.
> 2. The CA/Browser Forum are defining a "must staple" certificate
> extension [2], which we anticipate that browsers (e.g. [3]) will
> recognize and enforce, by aborting the TLS handshake if a stapled
> OCSP response was not sent.
I believe it was said more than once that this changes OCSP
stapling quite significantly. As of now it's an optimization
technology, while with "must staple" it will become a required
part of a certificate. There is no surprise such change requires
quite a different coding aproach.
BTW, the draft in question was already expired.
> 3. Google are planning [4] to require the use of Certificate
> Transparency (CT) [5], and this plan expects OCSP Stapling to work
> reliably.
It looks like there is more than one way to include signed
certificate timestamp, and OCSP stapling is just one of them. And
I'm not sure it's a good way - the X509v3 certificate extension
should be better, as long as it's a required part of a
certificate.
> What work needs to be done to enable Nginx to send a stapled OCSP
> response every time (without having to use the "ssl_stapling_file"
> directive)?
I tend to think that ssl_stapling_file is a good way to provide an
OCSP response if it's required for some reason.
> Could you work around the fact that the OpenSSL certificate status
> callback is blocking? Or would you absolutely require a
> non-blocking alternative to be available?
> (Ben Laurie, who is on both the OpenSSL and CT teams, told me
> recently: "If there's changes needed to OpenSSL, it'd be helpful to
> know sooner
> rather than later.")
I don't think changing OpenSSL to support non-blocking callbacks
is feasible. While it's something we would like to have (just couple
of weeks ago we've discussed here that non-blocking callbacks are
required to support external session store), it looks like too
major change for OpenSSL. It will also take several years to be
actually usable.
--
Maxim Dounin
http://nginx.org/en/donation.html
More information about the nginx-devel
mailing list