Mailing List Archive

Hi,

I'm reading:

http://www.cherokee-project.com/doc/cookbook_ssl.html

and I can't find anything about OCSP... Does Cherokee support something
like the "Enable OCSP validation of the client certificate chain" of
Apache?

Regards,

--
---------------------

Hugo Vázquez Caramés

"El trabajo que nunca se empieza es el que tarda más en finalizarse" (J.
R. R. Tolkien)

"La mayoría de las personas gastan más tiempo y energías en hablar de los
problemas que en afrontarlos" (Henry Ford)

========================================================
PENTEST Consultores
Tel: 93 3962070 / Fax: 93 3962001
e-mail: hvazquez@pentest.es
========================================================
Gane credibilidad y confianza, visite http://www.pentest.es


Este e-mail es confidencial y destinado únicamente a la persona a la cual
va dirigido. Si Ud. no es el destinatario al cual va dirigido este e-mail
o lo recibe por error, queda advertido que cualquier uso,
difusión,impresión o copia de este mensaje está estrictamente prohibido.
Si lo ha recibido por error, por favor, notifíquelo al remitente del
mensaje

This email is confidential and intended solely for the use of the
individual to whom it is addressed. If you are not the intended
recipient,be advised that you have received this email in error and that
any use,dissemination, forwarding, printing or copying of this email is
strictly prohibited. If you have received this email in error please
notify it to sender.

_______________________________________________
Cherokee mailing list
Cherokee@lists.octality.com
http://lists.octality.com/listinfo/cherokee

Hello Hugo,

2011/8/25 Hugo Vazquez Carames <hvazquez@pentest.es>

>
> I would like to know if Cherokee supports OCSP validation of the client
> certificate chain.


As far as I'm aware of, Cherokee doesn't have anything to do with OCSP.

There are just a couple of pieces of software involved. First, the client -
usually a web browser - that may (or may not) perform a OCSP query.
Secondly, it is the OCSP server that is the one in charge of handling those
queries.

Am I missing some other interaction with the Web server?

--
Greetings, alo
http://www.octality.com/

Hi Alvaro,

OK, let me explain it better. The validation status of a client
certificate must be done via an OCSP request. That can be done via
scripting language -ie, PHP- but Apache, since version 2.3.x can do it
automatically with mod_ssl:

http://httpd.apache.org/docs/2.3/new_features_2_3.html

"mod_ssl can now be configured to use an OCSP server to check the
validation status of a client certificate. The default responder is
configurable, along with the decision on whether to prefer the responder
designated in the client certificate itself."

Even if the client -a browser- is able to do it's own OCSP queries,
validation of the client certificate should be done always at the server
side, for security reasons -for example someone trying to use a revoked
client certificate-. You can to it at the CGI level, but it will make life
easier to have the option of configuring it at the Cherokee -web server-
level, like Apache does in their last server version.

Does Cherokee allow -or will allow- to configure an OCSP responder to
validate client certificates?



On Thu, 25 Aug 2011 13:14:43 +0200, Alvaro Lopez Ortega
<alvaro@octality.com> wrote:

> Hello Hugo,
>
> 2011/8/25 Hugo Vazquez Carames <hvazquez@pentest.es>
>
>>
>> I would like to know if Cherokee supports OCSP validation of the client
>> certificate chain.
>
>
> As far as I'm aware of, Cherokee doesn't have anything to do with OCSP.
>
> There are just a couple of pieces of software involved. First, the
> client -
> usually a web browser - that may (or may not) perform a OCSP query.
> Secondly, it is the OCSP server that is the one in charge of handling
> those
> queries.
>
> Am I missing some other interaction with the Web server?
>


--
---------------------

Hugo Vázquez Caramés

"El trabajo que nunca se empieza es el que tarda más en finalizarse" (J.
R. R. Tolkien)

"La mayoría de las personas gastan más tiempo y energías en hablar de los
problemas que en afrontarlos" (Henry Ford)

========================================================
PENTEST Consultores
Tel: 93 3962070 / Fax: 93 3962001
e-mail: hvazquez@pentest.es
========================================================
Gane credibilidad y confianza, visite http://www.pentest.es


Este e-mail es confidencial y destinado únicamente a la persona a la cual
va dirigido. Si Ud. no es el destinatario al cual va dirigido este e-mail
o lo recibe por error, queda advertido que cualquier uso,
difusión,impresión o copia de este mensaje está estrictamente prohibido.
Si lo ha recibido por error, por favor, notifíquelo al remitente del
mensaje

This email is confidential and intended solely for the use of the
individual to whom it is addressed. If you are not the intended
recipient,be advised that you have received this email in error and that
any use,dissemination, forwarding, printing or copying of this email is
strictly prohibited. If you have received this email in error please
notify it to sender.

_______________________________________________
Cherokee mailing list
Cherokee@lists.octality.com
http://lists.octality.com/listinfo/cherokee

Hello Hugo,

Thanks for the clarification.

On Thu, Aug 25, 2011 at 4:12 PM, Hugo Vazquez Carames
<hvazquez@pentest.es>wrote:

>
> Even if the client -a browser- is able to do it's own OCSP queries,
> validation of the client certificate should be done always at the server
> side, for security reasons -for example someone trying to use a revoked
> client certificate-. You can to it at the CGI level, but it will make life
> easier to have the option of configuring it at the Cherokee -web server-
> level, like Apache does in their last server version.
>

Well, in my understanding, it should be implement as an uWSGI, FastCGI or
SCGI application. The feature is too specific to be part of a general
purpose Web server my default.


> Does Cherokee allow -or will allow- to configure an OCSP responder to
> validate client certificates?


It is certainly not in the roadmap. Actually, I can see the value of having
a uWSGI/FastCGI app, but I'm not even sure this is something that should be
built-in the web server. If we had the app though, we could provide a Wizard
to auto-configure it.

--
Greetings, alo
http://www.octality.com/

Hi Alvaro,

On Thu, 25 Aug 2011 16:45:40 +0200, Alvaro Lopez Ortega
<alvaro@octality.com> wrote:

> Hello Hugo,
>
> Thanks for the clarification.
>
> On Thu, Aug 25, 2011 at 4:12 PM, Hugo Vazquez Carames
> <hvazquez@pentest.es>wrote:
>
>>
>> Even if the client -a browser- is able to do it's own OCSP queries,
>> validation of the client certificate should be done always at the server
>> side, for security reasons -for example someone trying to use a revoked
>> client certificate-. You can to it at the CGI level, but it will make
>> life
>> easier to have the option of configuring it at the Cherokee -web server-
>> level, like Apache does in their last server version.
>>
>
> Well, in my understanding, it should be implement as an uWSGI, FastCGI or
> SCGI application. The feature is too specific to be part of a general
> purpose Web server my default.

Do you really think it is too specific? OCSP validation is a core part of
the trust chain of client certificate validation... Anyway, I deeply
respect your opinion.
Think about the increasing number of countries using Electronic National
Identity Cards, and how you can help building a more secure web
environment...


>
>
>> Does Cherokee allow -or will allow- to configure an OCSP responder to
>> validate client certificates?
>
>
> It is certainly not in the roadmap. Actually, I can see the value of
> having
> a uWSGI/FastCGI app, but I'm not even sure this is something that should
> be
> built-in the web server. If we had the app though, we could provide a
> Wizard
> to auto-configure it.

;-)

>


--
---------------------

Hugo Vázquez Caramés

"El trabajo que nunca se empieza es el que tarda más en finalizarse" (J.
R. R. Tolkien)

"La mayoría de las personas gastan más tiempo y energías en hablar de los
problemas que en afrontarlos" (Henry Ford)

"Lo imposible es el fantasma de los tímidos y el refugio de los cobardes"
(N. Bonaparte)

========================================================
PENTEST Consultores
Tel: 93 3962070 / Fax: 93 3962001
e-mail: hvazquez@pentest.es
========================================================
Gane credibilidad y confianza, visite http://www.pentest.es


Este e-mail es confidencial y destinado únicamente a la persona a la cual
va dirigido. Si Ud. no es el destinatario al cual va dirigido este e-mail
o lo recibe por error, queda advertido que cualquier uso,
difusión,impresión o copia de este mensaje está estrictamente prohibido.
Si lo ha recibido por error, por favor, notifíquelo al remitente del
mensaje

This email is confidential and intended solely for the use of the
individual to whom it is addressed. If you are not the intended
recipient,be advised that you have received this email in error and that
any use,dissemination, forwarding, printing or copying of this email is
strictly prohibited. If you have received this email in error please
notify it to sender.

_______________________________________________
Cherokee mailing list
Cherokee@lists.octality.com
http://lists.octality.com/listinfo/cherokee

Hello,

On Thu, Aug 25, 2011 at 4:58 PM, Hugo Vazquez Carames
<hvazquez@pentest.es> wrote:

>> Well, in my understanding, it should be implement as an uWSGI, FastCGI or
>> SCGI application. The feature is too specific to be part of a general
>> purpose Web server my default.
>
> Do you really think it is too specific? OCSP validation is a core part of
> the trust chain of client certificate validation... Anyway, I deeply respect
> your opinion.
> Think about the increasing number of countries using Electronic National
> Identity Cards, and how you can help building a more secure web
> environment...

We, at work, use something like this[1] with the OCSP servers of DNIe
(Electronic National Identity Cards in Spain). Anyway, IMHO, I think
it could be interesting to have as an option... No overload on the ssl
handshake if you don't enable it, doesn't it?


[1] http://php.net/manual/en/book.openssl.php#85444

--
Saludos:
Antonio Pérez
_______________________________________________
Cherokee mailing list
Cherokee@lists.octality.com
http://lists.octality.com/listinfo/cherokee

Antonio, Hugo,

011/8/25 Antonio Pérez <aperez@skarcha.com>

> On Thu, Aug 25, 2011 at 4:58 PM, Hugo Vazquez Carames
> <hvazquez@pentest.es> wrote:
>
> >> Well, in my understanding, it should be implement as an uWSGI, FastCGI
> or
> >> SCGI application. The feature is too specific to be part of a general
> >> purpose Web server my default.
> >
> > Do you really think it is too specific? OCSP validation is a core part of
> > the trust chain of client certificate validation... Anyway, I deeply
> respect
> > your opinion.
> > Think about the increasing number of countries using Electronic National
> > Identity Cards, and how you can help building a more secure web
> > environment...
>
> We, at work, use something like this[1] with the OCSP servers of DNIe
> (Electronic National Identity Cards in Spain). Anyway, IMHO, I think
> it could be interesting to have as an option... No overload on the ssl
> handshake if you don't enable it, doesn't it?
>

Alright then. Let's say it is not in among the features I want the develop
for the upcoming releases. However, if there were a patch implementing it we
could integrate it seamlessly. - Since OpenSSL implements OCSP, I believe it
wouldn't be lengthy or intrusive patch anyway.

Cheers!

--
Greetings, alo
http://www.octality.com/