Topic: OCSP stapling
Does wolfSSL support OCSP stapling in the handshake? What are the relevant APIs?
You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → wolfSSL → OCSP stapling
Does wolfSSL support OCSP stapling in the handshake? What are the relevant APIs?
Hi,
I have attached a PDF which should help explain wolfSSL's OCSP Stapling functionality. Are you able to share any details of the project you are working on?
Thanks,
Chris
Hi Chris
I'm basically doing a measurement study of top 100 Alexa websites to see which support OCSP stapling in the SSL handshake. I'm also collecting some statistics on the validity period of the OCSP responses. Therefore, I want to parse all this data out from the SSL handshake. My plan was to use the callback mechanism and go from there.
I can't find the attachment.
Hi,
Thanks for the additional details. It looks like my attachment didn't work correctly last time. Trying again here.
Thanks,
Chris
Thanks, I can setup the API now, but how do I access the OCSP response?
I'd like to access the ocsp response and extract the thisUpdate, nextUpdate, etc fields for data collection.
So some progress. I did:
if((use_ocsp = wolfSSL_UseOCSPStaplingV2(ssl, WOLFSSL_CSR2_OCSP, 0)) != SSL_SUCCESS)
logsslerror(use_ocsp, "OCSP Error");
if((use_ocsp = wolfSSL_CTX_EnableOCSP(ctx, 0)) != SSL_SUCCESS)
logsslerror(use_ocsp, "CTX_EnableOCSP error");
if((use_ocsp = wolfSSL_SetOCSP_Cb(ssl, ocspCb, NULL, NULL)) != SSL_SUCCESS)
logsslerror(use_ocsp, "OCSP CB Error");
with an ocsp callback of the form:
int ocspCb(void *a, const char* url, int urlSz, unsigned char *req, int reqSz, unsigned char **resp)
{
printf("ocsp cb\n");
}
Now when I try it with bing.com and root cert of BaltimoreCyberTrustRoot.pem
I get as output error:
Connected to bing.com:443!
ocsp cb
hsi: ClientHello
hsi: ServerHello
hsi: Certificate
hsi: Alert
SSL handshake error: OCSP Responder lookup fail
Any idea what this means? I have enabled callbacks on the SSL handshake, and callbacks on the OCSP CB IO, which does not seem to be documented, but I got it from the wolfssl/ssh.h header
How is it possible that the callback is called so early in the handshake process?
My goal is to extract the thisDate, nextDate (which I think correspond to the thisUpdate, nextUpdate fields as per OCSP stapling RFC)
OK. so I used wireshark to find out that the bing.com server does not understand status_request_v2. It only understands status_request (i.e., regular ocsp stapling), so I recompiled with --enable-ocsp stapling, and I updated my code to:
if((use_ocsp = wolfSSL_UseOCSPStapling(ssl, WOLFSSL_CSR2_OCSP, 0)) != SSL_SUCCESS)
logsslerror(use_ocsp, "OCSP Error");
if((use_ocsp = wolfSSL_CTX_EnableOCSPStapling(ctx)) != SSL_SUCCESS)
logsslerror(use_ocsp, "CTX_EnableOCSP error");
if((use_ocsp = wolfSSL_SetOCSP_Cb(ssl, ocspCb, NULL, NULL)) != SSL_SUCCESS)
logsslerror(use_ocsp, "OCSP CB Error");
Now based on wireshark, I can see the OCSP response in the Server Hello, but my callback is still not getting called.
Now I have this code:
if (host != NULL) {
sockfd = socket(host->ai_family, host->ai_socktype, host->ai_protocol);
int ret = connect(sockfd, host->ai_addr, host->ai_addrlen);
if (ret < 0)
printf("error in connect: %s\n", strerror(errno));
else {
printf("Connected to %s:%s!\n", hostname, port);
if ((ssl = wolfSSL_new(ctx)) == NULL)
printf("%s\n", "wolfSSL_new error");
else {
wolfSSL_set_fd(ssl, sockfd);
//set ourselves up so that we can access the ServerHello and OCSP stapling
wolfSSL_KeepArrays(ssl);
int use_ocsp;
if((use_ocsp = wolfSSL_CTX_UseOCSPStapling(ctx, WOLFSSL_CSR_OCSP, 0)) != SSL_SUCCESS)
logsslerror(use_ocsp, "OCSP Error");
if((use_ocsp = wolfSSL_CTX_EnableOCSP(ctx, 0)) != SSL_SUCCESS)
logsslerror(use_ocsp, "CTX_EnableOCSP error");
if((use_ocsp = wolfSSL_CTX_EnableOCSPStapling(ctx)) != SSL_SUCCESS)
logsslerror(use_ocsp, "CTX_EnableOCSPStapling error");
if((use_ocsp = wolfSSL_CTX_SetOCSP_Cb(ctx, ocspCb, NULL, NULL)) != SSL_SUCCESS)
logsslerror(use_ocsp, "OCSP CB Error");
if (wolfSSL_connect_ex(ssl, handShakeCB, timeoutCB, timeout) == SSL_SUCCESS)
{
printf("%s\n", "SSL handshake complete");
processServerRandom(ssl);
}
else {
int err2 = wolfSSL_get_error(ssl, 0);
logsslerror(err2, "SSL handshake error");
}
}
}
But the callback doesn;t get called. My only goal is to get the OCSP response data from the Server Hello.
Hi,
The OCSP callback (registered with wolfSSL_CTX_SetOCSP_Cb()) is meant to allow your application to have control over connecting to the OCSP Responder and parsing/verifying the response. wolfSSL uses an internal OCSP callback (EmbedOcspLookup() in ./src/io.c) to do this by default, but when you override our internal callback with wolSSL_CTX_SetOCSP_Cb(), your application needs to handle this yourself within your callback. Your callback should return 0 on success or -1 on error.
One option that would allow you to inspect the OCSP response would be to:
1. Write and register your own OCSP callback with wolSSL_CTX_SetOCSP_Cb()
2. Have your callback just call our default callback (EmbedOcspLookup()). This is a public API function exposed through <wolfssl/ssl.h>
3. After our internal callback returns, you should be able to look at the response data inside the "unsigned char** resp" output variable.
Best Regards,
Chris
what is the correct way to use these functions?
I have:
int ocspCb(void *a, const char* url, int urlSz, unsigned char *req, int reqSz, unsigned char **resp)
{
int retVal = EmbedOcspLookup(a, url, urlSz, req, reqSz, resp);
printf("resp: %s\n", *resp);
return retVal;
}
and in registration I have:
if((use_ocsp = wolfSSL_CTX_SetOCSP_Cb(ctx, ocspCb, ocspRespFree, NULL)) != SSL_SUCCESS)
logsslerror(use_ocsp, "OCSP CB Error");
Not sure what to pass as the last argument
The CB is not getting called. This is what I have:
int ocspCb(void *a, const char* url, int urlSz, unsigned char *req, int reqSz, unsigned char **resp)
{
int retVal = EmbedOcspLookup(a, url, urlSz, req, reqSz, resp);
printf("resp: %s\n", *resp);
return retVal;
}
void ocspRespFree(void *a, unsigned char *b)
{
EmbedOcspRespFree(a, b);
}
if((use_ocsp = wolfSSL_CTX_UseOCSPStapling(ctx, WOLFSSL_CSR_OCSP, 0)) != SSL_SUCCESS)
logsslerror(use_ocsp, "OCSP Error");
if((use_ocsp = wolfSSL_CTX_EnableOCSP(ctx, 0)) != SSL_SUCCESS)
logsslerror(use_ocsp, "CTX_EnableOCSP error");
if((use_ocsp = wolfSSL_CTX_EnableOCSPStapling(ctx)) != SSL_SUCCESS)
logsslerror(use_ocsp, "CTX_EnableOCSPStapling error");
if((use_ocsp = wolfSSL_CTX_SetOCSP_Cb(ctx, ocspCb, ocspRespFree, NULL)) != SSL_SUCCESS)
logsslerror(use_ocsp, "OCSP CB Error");
if (wolfSSL_connect_ex(ssl, handShakeCB, timeoutCB, timeout) == SSL_SUCCESS)
{
printf("%s\n", "SSL handshake complete");
processServerRandom(ssl);
}
else {
int err2 = wolfSSL_get_error(ssl, 0);
logsslerror(err2, "SSL handshake error");
}
why does this not work? the last void* param seems to not be used in any function, so I'm confusued about what;s going wrong.
Keep in mind that this is OCSP stapling. The client should not go and contact some OCSP responder on its own. It should expect an OCSP response as part of the handshake. My goal is to retrieve the OCSP response data once a handshake is sucessful, and once the library has verified the OCSP response to be legitimate. Am I using the right functions here?
Updates. After debugging the code, I've boiled it down to CertStatus.thisDate and .nextDate
I edited code in wolfcrypt/src/asn.c (DecodeSingleResponse) and I was able to dump the thisDate and nextDate buffers. But how do I access this stuff from a normal program using the wolfSSL API? Is this supported or not?
Hi,
Indeed, we don't have API functions to retrieve that information. This functionality is not supported.
The way you did it, by dumping the desired data inside DecodeSingleResponse() is one of the paths I'd suggest you to follow.
[ ]'s
Moisés
wolfSSL - Embedded SSL Library → wolfSSL → OCSP stapling
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.019 seconds (89% PHP - 11% DB) with 11 queries