[PATCH 2 of 2] Proxy: add support for OCSP stapling verification from upstream

Maxim Dounin mdounin at mdounin.ru
Fri Jan 22 18:46:01 UTC 2016 

Hello!

On Fri, Jan 22, 2016 at 06:02:14PM +0000, Alessandro Ghedini wrote:

> On Fri, Jan 22, 2016 at 08:49:26pm +0300, Maxim Dounin wrote:
> > Hello!
> > 
> > On Fri, Jan 22, 2016 at 05:38:06PM +0000, Alessandro Ghedini wrote:
> > 
> > > # HG changeset patch
> > > # User Alessandro Ghedini <alessandro at cloudflare.com>
> > > # Date 1453481233 0
> > > #      Fri Jan 22 16:47:13 2016 +0000
> > > # Node ID c6668c14a2d168307bcfade0cc2e01c92c31312a
> > > # Parent  a8c4f65236ad90138863d5295ca059a3d37da37e
> > > Proxy: add support for OCSP stapling verification from upstream
> > > 
> > > This patch adds the "proxy_ssl_stapling_verify" option that controls OCSP
> > > stapling verification from an upstream server.
> > > 
> > > The option allows three values:
> > > 
> > >  - "off" (default): disable OCSP stapling completely.
> > >  - "on": request OCSP stapling from upstream and verify response if
> > >          provided.
> > >  - "full": same as "on", but fail also when no response is received.
> > 
> > The "on" seems to be no different from "off" and hardly make 
> > sense, as an attacker can easily avoid returning stapled OCSP 
> > response.
> 
> Yes, of course. This is what browsers currently do, and is IMO better than
> doing nothing. Once Must-Staple (aka "TLS Feature" x509 extension) starts
> to be used in the wild this can be updated.

What browsers do is quite different: they use OCSP, and use OCSP 
Stapling as an optimization.  And even if they can't obtain a 
response, they show this visually to users.

What your code does is no diffent from doing nothing, as it 
doesn't try to do anything if there is no OCSP response provided.  
So the code can only result in false alerts due to configuration 
errors, but won't be able to stop any attacks.

> > The "full" in turn doesn't seem to be correct feature, as stapled 
> > OCSP response may be legitimately absent for multiple reasons.
> 
> If you control the upstream servers than I don't see any reason why you
> couldn't just enable OCSP stapling unconditionally and enforce this on
> the downstream with the "full" option. Maybe I'm missing something?

Much like any other arbitrary requirement, this one of course can 
be enforced as well.  The question is how this is different from 
other arbitrary requirements we don't provide options for.

Note well that nginx itself, even when configured with OCSP 
stapling enabled, does _not_ guarantee that OCSP responses will be 
stapled in all SSL connections - as obtaining an OCSP response 
takes time, and OpenSSL does not provide a non-blocking interface 
for certificate status callbacks.

-- 
Maxim Dounin
http://nginx.org/

More information about the nginx-devel mailing list