Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: TLS Feature Extension ocsp must staple demonstration
207 views
Skip to first unread message
Mark Goodwin
Jan 29, 2016, 5:08:14 AM1/29/16
to Dan Bryan, mozilla-de...@lists.mozilla.org
Hi Dan,
You should be able to find all of the information you need in rfc 7633.
The OID you're looking for is: 1.3.6.1.5.5.7.1.24
(See
https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.1
)
The extension value will be a sequence of the features you want to require
(see http://tools.ietf.org/html/rfc6066 for information on these). At
present, only the status_request feature is supported.
This means you want: 0x30, 0x03, 0x02, 0x01, 0x05
I hope this helps.
-mgoodwin
On Tue, Jan 12, 2016 at 4:46 PM, Dan Bryan <danbr...@gmail.com> wrote:
> Hello, I was reading the following article:
>
> https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/
>
> Which states that:
>
> "OCSP Must-Staple makes use of the recently specified TLS Feature
> Extension. When a CA adds this extension to a certificate, it requires your
> browser to ensure a stapled OCSP response is present in the TLS handshake.
> If an OCSP response is not present, the connection will fail and Firefox
> will display a non-overridable error page. This feature will be included in
> Firefox 45, currently scheduled to be released in March 2016."
>
> I have downloaded firefox 45.0a2 (2016-01-12) and would like to see this
> in action. I own a certificate authority product that allows me to issue
> custom extensions, but I am unsure of what extension is called. Is their an
> OID or ASN1 value that indicates the CA should add the TLS Feature
> extension supporting ocsp must staple?
>
> --Dan
> _______________________________________________
> dev-security mailing list
> dev-se...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security
>
You should be able to find all of the information you need in rfc 7633.
The OID you're looking for is: 1.3.6.1.5.5.7.1.24
(See
https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.1
)
The extension value will be a sequence of the features you want to require
(see http://tools.ietf.org/html/rfc6066 for information on these). At
present, only the status_request feature is supported.
This means you want: 0x30, 0x03, 0x02, 0x01, 0x05
I hope this helps.
-mgoodwin
On Tue, Jan 12, 2016 at 4:46 PM, Dan Bryan <danbr...@gmail.com> wrote:
> Hello, I was reading the following article:
>
> https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/
>
> Which states that:
>
> "OCSP Must-Staple makes use of the recently specified TLS Feature
> Extension. When a CA adds this extension to a certificate, it requires your
> browser to ensure a stapled OCSP response is present in the TLS handshake.
> If an OCSP response is not present, the connection will fail and Firefox
> will display a non-overridable error page. This feature will be included in
> Firefox 45, currently scheduled to be released in March 2016."
>
> I have downloaded firefox 45.0a2 (2016-01-12) and would like to see this
> in action. I own a certificate authority product that allows me to issue
> custom extensions, but I am unsure of what extension is called. Is their an
> OID or ASN1 value that indicates the CA should add the TLS Feature
> extension supporting ocsp must staple?
>
> --Dan
> _______________________________________________
> dev-security mailing list
> dev-se...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security
>
Rob Stradling
Jan 29, 2016, 5:21:18 AM1/29/16
to Dan Bryan, Mark Goodwin, mozilla-de...@lists.mozilla.org
On 29/01/16 10:08, Mark Goodwin wrote:
> Hi Dan,
>
> You should be able to find all of the information you need in rfc 7633.
>
> The OID you're looking for is: 1.3.6.1.5.5.7.1.24
> (See
> https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.1
> )
>
> The extension value will be a sequence of the features you want to require
> (see http://tools.ietf.org/html/rfc6066 for information on these). At
> present, only the status_request feature is supported.
>
> This means you want: 0x30, 0x03, 0x02, 0x01, 0x05
>
> I hope this helps.
>
> -mgoodwin
Hi Dan. Here are some existing examples of certs/sites that might help you:
> Hi Dan,
>
> You should be able to find all of the information you need in rfc 7633.
>
> The OID you're looking for is: 1.3.6.1.5.5.7.1.24
> (See
> https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.1
> )
>
> The extension value will be a sequence of the features you want to require
> (see http://tools.ietf.org/html/rfc6066 for information on these). At
> present, only the status_request feature is supported.
>
> This means you want: 0x30, 0x03, 0x02, 0x01, 0x05
>
> I hope this helps.
>
> -mgoodwin
Correctly configured (status_request required and supported):
Site: https://must-staple.serverhello.com
Cert: https://crt.sh/?id=11323316
Deliberately misconfigured (status_request required but _not_ supported):
Site: https://must-staple-no-ocsp.serverhello.com
Cert: https://crt.sh/?id=11333146
Also, you might find our SSL Analyzer tool useful for verifying that
you're doing TLS Feature correctly. e.g.
https://sslanalyzer.comodoca.com/?url=must-staple.serverhello.com
https://sslanalyzer.comodoca.com/?url=must-staple-no-ocsp.serverhello.com
Hope this helps.
> On Tue, Jan 12, 2016 at 4:46 PM, Dan Bryan <danbr...@gmail.com> wrote:
>
>> Hello, I was reading the following article:
>>
>> https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/
>>
>> Which states that:
>>
>> "OCSP Must-Staple makes use of the recently specified TLS Feature
>> Extension. When a CA adds this extension to a certificate, it requires your
>> browser to ensure a stapled OCSP response is present in the TLS handshake.
>> If an OCSP response is not present, the connection will fail and Firefox
>> will display a non-overridable error page. This feature will be included in
>> Firefox 45, currently scheduled to be released in March 2016."
>>
>> I have downloaded firefox 45.0a2 (2016-01-12) and would like to see this
>> in action. I own a certificate authority product that allows me to issue
>> custom extensions, but I am unsure of what extension is called. Is their an
>> OID or ASN1 value that indicates the CA should add the TLS Feature
>> extension supporting ocsp must staple?
>>
>> --Dan
>> _______________________________________________
>> dev-security mailing list
>> dev-se...@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-security
>>
> _______________________________________________
> dev-security mailing list
> dev-se...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security
>
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.
Dan Bryan
Feb 1, 2016, 12:52:04 PM2/1/16
to mozilla-de...@lists.mozilla.org
Thanks for the info, I was successfully able to create a certificate with status_request assertion built in. My understanding is that mozilla will support both enforcement of the status_request assertion in the X509 certificate, as well as must staple assertion in HTTP response. Are you able to provide any references on how to configure a web server (IIS or apache) to provide this? I don't even see a mention of staple on the list of http headers
https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
Any help would be appreciated.
--Dan
https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
Any help would be appreciated.
--Dan
Richard Barnes
Feb 1, 2016, 2:34:20 PM2/1/16
to Dan Bryan, mozilla-de...@lists.mozilla.org
Sent from my iPhone. Please excuse brevity.
> On Feb 1, 2016, at 12:54, Dan Bryan <danbr...@gmail.com> wrote:
>
> Thanks for the info, I was successfully able to create a certificate with status_request assertion built in. My understanding is that mozilla will support both enforcement of the status_request assertion in the X509 certificate, as well as must staple assertion in HTTP response.
For now, only the former, i.e., only the cert extension. I don't
think there's even a spec for a header.
--Richard
> Are you able to provide any references on how to configure a web server (IIS or apache) to provide this? I don't even see a mention of staple on the list of http headers
> https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
>
> Any help would be appreciated.
>
> --Dan
>
>
>> On Friday, January 29, 2016 at 5:08:14 AM UTC-5, Mark Goodwin wrote:
> On Feb 1, 2016, at 12:54, Dan Bryan <danbr...@gmail.com> wrote:
>
> Thanks for the info, I was successfully able to create a certificate with status_request assertion built in. My understanding is that mozilla will support both enforcement of the status_request assertion in the X509 certificate, as well as must staple assertion in HTTP response.
think there's even a spec for a header.
--Richard
> Are you able to provide any references on how to configure a web server (IIS or apache) to provide this? I don't even see a mention of staple on the list of http headers
> https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
>
> Any help would be appreciated.
>
> --Dan
>
>
>> On Friday, January 29, 2016 at 5:08:14 AM UTC-5, Mark Goodwin wrote:
Hubert Kario
Feb 2, 2016, 6:40:35 AM2/2/16
to dev-se...@lists.mozilla.org, Dan Bryan, mozilla-de...@lists.mozilla.org
On Monday 01 February 2016 07:47:44 Dan Bryan wrote:
> Thanks for the info, I was successfully able to create a certificate
> with status_request assertion built in. My understanding is that
> mozilla will support both enforcement of the status_request assertion
> in the X509 certificate, as well as must staple assertion in HTTP
> response. Are you able to provide any references on how to configure
> Thanks for the info, I was successfully able to create a certificate
> with status_request assertion built in. My understanding is that
> mozilla will support both enforcement of the status_request assertion
> in the X509 certificate, as well as must staple assertion in HTTP
> a web server (IIS or apache) to provide this? I don't even see a
> mention of staple on the list of http headers
> https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
OCSP Stapling is implemented on lower level, not as a HTTP header but as
> mention of staple on the list of http headers
> https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
a TLS extension, see Certificate Status Request[1].
Feature you're looking for are enabled by SSLUseStapling directive in
mod_ssl[2] and NSSOCSP in mod_nss[3].
1 - https://tools.ietf.org/html/rfc6066#section-8
2 - https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslusestapling
3 -
https://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
0 new messages