Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: dev

OCSP Stapling support in experimental_ocsp branch

 

 

exim dev RSS feed   Index | Next | Previous | View Threaded


pdp at exim

May 8, 2012, 8:29 AM

Post #1 of 8 (501 views)
Permalink
OCSP Stapling support in experimental_ocsp branch

Unless anyone objects, I'd like to merge in the experimental_ocsp branch
which I've just pushed.

It adds OCSP Stapling to Exim.

Like SNI support, it's most likely to be of use on the Submission port.
It integrates cleanly with SNI.

Documentation of what this is and why it's useful has been added to
experimental-spec.txt.

See:
http://git.exim.org/exim.git/blob/experimental_ocsp:/doc/doc-txt/experimental-spec.txt
https://github.com/Exim/exim/blob/experimental_ocsp/doc/doc-txt/experimental-spec.txt

There's no automatic maintenance, it assumes only one cert in the OCSP
file, etc.

For testing, in my certificate authority index dir, I ran:

openssl ocsp \
-index index.txt -CA globnixCA3.pem -rsigner globnixCA3.pem \
-rkey private/globnixCA3-key.pem \
-ndays 14 \
-port 4444

I then ran:

openssl ocsp \
-issuer globnixCA3.pem -nonce -CAfile globnixCA3.pem \
-url http://localhost:4444/ -serial 0x79 -respout fred

where 0x79 comes from my submission port cert. I put the file "fred"
into place as tls_ocsp_file.

For production usage, this would need a script keeping it up-to-date.
Possibly Exim as a daemon should be periodically refreshing this
automatically; that sort of question is why this is EXPERIMENTAL_OCSP.

Is there anyone running Exim for a large population of users who might
test this? I just have myself and my long-suffering wife.

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##


jgh at wizmail

May 8, 2012, 2:07 PM

Post #2 of 8 (472 views)
Permalink
Re: OCSP Stapling support in experimental_ocsp branch [In reply to]

On 2012-05-08 16:29, Phil Pennock wrote:
> Unless anyone objects, I'd like to merge in the experimental_ocsp branch
> which I've just pushed.
>
> It adds OCSP Stapling to Exim.

Including some relevant testsuite additions?
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##


pdp at exim

May 8, 2012, 3:10 PM

Post #3 of 8 (471 views)
Permalink
Re: OCSP Stapling support in experimental_ocsp branch [In reply to]

On 2012-05-08 at 22:07 +0100, Jeremy Harris wrote:
> On 2012-05-08 16:29, Phil Pennock wrote:
> > Unless anyone objects, I'd like to merge in the experimental_ocsp branch
> > which I've just pushed.
> >
> > It adds OCSP Stapling to Exim.
>
> Including some relevant testsuite additions?

*cough*

I welcome suggestions for *how* to cleanly integrate this into the test
suite.

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##


jgh at wizmail

May 11, 2012, 1:56 PM

Post #4 of 8 (447 views)
Permalink
Re: OCSP Stapling support in experimental_ocsp branch [In reply to]

On 2012-05-08 23:10, Phil Pennock wrote:
> On 2012-05-08 at 22:07 +0100, Jeremy Harris wrote:
>> On 2012-05-08 16:29, Phil Pennock wrote:
>>> Unless anyone objects, I'd like to merge in the experimental_ocsp branch
>>> which I've just pushed.
>>>
>>> It adds OCSP Stapling to Exim.
>>
>> Including some relevant testsuite additions?
>
> *cough*
>
> I welcome suggestions for *how* to cleanly integrate this into the test
> suite.

So, can exim running in client mode observe the stapled information?
--
Jeremy



--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##


pdp at exim

May 11, 2012, 4:42 PM

Post #5 of 8 (449 views)
Permalink
Re: OCSP Stapling support in experimental_ocsp branch [In reply to]

On 2012-05-11 at 21:56 +0100, Jeremy Harris wrote:
> So, can exim running in client mode observe the stapled information?

At this time, I've only implemented the server code. I've tested it can
be seen with "openssl s_client -status".

For client code, it may make sense for the Submission case (same as SNI
support) but I've thoughts on how to improve that somewhat, more
generally, so am holding off for now until post-release.

I want to see if I can get some GnuTLS overhauling done tonight, run
test suites, then cut RC1. Oh, and I need to look at that "only use
outbound connection if the outbound interface matches the configured
one" bug.

For after this release, I want to explore turning on DNSSEC if the
resolver supports it, what that means for finding a verifiable identity
for MX delivery, and things like trust-on-first-use support, much as is
used by SSH (and has strong support in GnuTLS), to try to tackle the
problems of MX host identity.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##


jgh at wizmail

May 12, 2012, 11:05 AM

Post #6 of 8 (448 views)
Permalink
Re: OCSP Stapling support in experimental_ocsp branch [In reply to]

On 2012-05-12 00:42, Phil Pennock wrote:
> On 2012-05-11 at 21:56 +0100, Jeremy Harris wrote:
>> So, can exim running in client mode observe the stapled information?
>
> At this time, I've only implemented the server code. I've tested it can
> be seen with "openssl s_client -status".
>
> For client code, it may make sense for the Submission case (same as SNI
> support) but I've thoughts on how to improve that somewhat, more
> generally, so am holding off for now until post-release.

Sounds reasonable. I guess what I'm working towards is that
having the client side in Exim makes testing the server side simpler
(and vice-versa).
--
Jeremy



--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##


jgh at wizmail

May 13, 2012, 8:56 AM

Post #7 of 8 (438 views)
Permalink
Re: OCSP Stapling support in experimental_ocsp branch [In reply to]

On 2012-05-12 00:42, Phil Pennock wrote:
> I want to see if I can get some GnuTLS overhauling done tonight, run
> test suites, then cut RC1.

Do we run any notion of a "feature freeze" close before a release?
--
Jeremy



--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##


pdp at exim

May 13, 2012, 12:35 PM

Post #8 of 8 (439 views)
Permalink
Re: OCSP Stapling support in experimental_ocsp branch [In reply to]

On 2012-05-13 at 16:56 +0100, Jeremy Harris wrote:
> On 2012-05-12 00:42, Phil Pennock wrote:
> > I want to see if I can get some GnuTLS overhauling done tonight, run
> > test suites, then cut RC1.
>
> Do we run any notion of a "feature freeze" close before a release?

As of the first release candidate, yes.

There was never any substantive feedback on my proposed release policy,
so I'm inclined to rename the ProposedDraft out of it:

http://wiki.exim.org/EximReleasePolicyProposedDraft

The steps for the release itself are at:

http://wiki.exim.org/EximRelease

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

exim dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.