OCSP stapling and must-staple

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

OCSP stapling and must-staple

Niklas Bachmaier
Hello everyone

The last post I found on OCSP with Squid is from 2015 where it says
that Squid does not support OCSP by any means.

For certificate revocation checking we would like to make use of the
OCSP must-staple feature (defined in RFC 7633). We are asking
ourselves if OCSP stapling and especially must-staple is now supported
by Squid and, if it is, if there is any special configuration needed
to activate it.

We are currently using Squid 3.5 with OpenSSL version 1.0.2m from 2 Nov 2017.

Thanks already for any input on this!

Niklas
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: OCSP stapling and must-staple

Alex Rousskov
On 11/13/2017 03:21 AM, Niklas Bachmaier wrote:

> The last post I found on OCSP with Squid is from 2015 where it says
> that Squid does not support OCSP by any means.

For the record, here is that 2015 thread:
http://lists.squid-cache.org/pipermail/squid-users/2015-October/005831.html


> For certificate revocation checking we would like to make use of the
> OCSP must-staple feature (defined in RFC 7633). We are asking
> ourselves if OCSP stapling and especially must-staple is now supported
> by Squid and, if it is, if there is any special configuration needed
> to activate it.

AFAIK, OpenSSL does not automatically validate OCSP-related parts of the
server Hello. Squid does not do that either (yet?). As I said in 2015,
it may be possible to do the required validation using an external
certificate validator (sslcrtvalidator_program). If not already possible
"as is", it is probably not difficult to add the missing bits to Squid
to enable such external OCSP validation.


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users