wget2 | Several OCSP improvements (!513)

wget-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

wget2 | Several OCSP improvements (!513)

From:	Ander Juaristi (@juaristi)
Subject:	wget2 \| Several OCSP improvements (!513)
Date:	Sat, 24 Sep 2022 17:56:21 +0000


Ander Juaristi created a merge request: 
https://gitlab.com/gnuwget/wget2/-/merge_requests/513

Branches: aj-check-ocsp-at-end to master
Author:   Ander Juaristi
Assignee: Ander Juaristi
Reviewer: Tim Rühsen


This MR solves two major pain points on the OpenSSL backend. We move on-line 
OCSP verification out of the `openssl_revocation_check_fn` callback, and we 
take into account stapled responses sent by the server and avoid sending OCSP 
requests for those (#578).

We are doing OCSP verification in the `openssl_revocation_check_fn` callback. 
This callback is not the best place to check OCSP because the peer's X.509 cert 
stack that we get there is incomplete, and cannot be fully trusted. Hence, we 
move OCSP checking to the end of the `wget_ssl_open` function, just after the 
TLS handshake has successfully completed. At that point we do have the full, 
verified, cert stack (can be obtained with `SSL_get0_verified_chain`).

In addition, the fact that the on-line OCSP checks for the certificates were 
being carried out after the handshake completed caused that any stapled OCSP 
response sent by the server was not taking into account (all certificates were 
being OCSP-checked regardless of there was a stapled response for any of them 
or not). This was also happening before, when we used the 
`openssl_revocation_check_fn` callback, because it was always called after the 
OCSP verification callback. Hence, we create a vector and store all the stapled 
OCSP responses we receive, and then, during on-line OCSP verification, we check 
if a stapled response exists for each certificate before contacting OCSP 
servers.

### Approver's checklist:

* [ ] The author has submitted the FSF Copyright Assignment and is listed in 
AUTHORS
* [ ] There is a test suite reasonably covering new functionality or 
modifications
* [ ] Function naming, parameters, return values, types, etc., are consistent 
with existing code
* [ ] This feature/change has adequate documentation added (if appropriate)
* [ ] No obvious mistakes / misspelling in the code

-- 
Reply to this email directly or view it on GitLab: 
https://gitlab.com/gnuwget/wget2/-/merge_requests/513
You're receiving this email because of your account on gitlab.com.

[Prev in Thread]

Current Thread

[Next in Thread]

wget2 | Several OCSP improvements (!513), Ander Juaristi (@juaristi) <=
- Re: wget2 | Several OCSP improvements (!513), Ander Juaristi (@juaristi), 2022/09/24
- Re: wget2 | Several OCSP improvements (!513), Ander Juaristi (@juaristi), 2022/09/24
- Re: wget2 | Several OCSP improvements (!513), @rockdaboot, 2022/09/25
  - Message not available
    - Re: wget2 | Several OCSP improvements (!513), Ander Juaristi (@juaristi), 2022/09/30
- Re: wget2 | Several OCSP improvements (!513), @rockdaboot, 2022/09/25
- Re: wget2 | Several OCSP improvements (!513), @rockdaboot, 2022/09/25
- Re: wget2 | Several OCSP improvements (!513), @rockdaboot, 2022/09/25
- Re: wget2 | Several OCSP improvements (!513), Ander Juaristi (@juaristi), 2022/09/30
- Re: wget2 | Several OCSP improvements (!513), Ander Juaristi (@juaristi), 2022/09/30

Prev by Date: Re: wget2 | Several OCSP improvements (!513)
Next by Date: Re: wget2 | Document how to static build wget2 (#482)
Previous by thread: Re: wget2 | Check if robots.txt parser complies with standardized format (#607)
Next by thread: Re: wget2 | Several OCSP improvements (!513)
Index(es):
- Date
- Thread