wget2 | WIP: OpenSSL: OCSP support (!460)

wget-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

wget2 | WIP: OpenSSL: OCSP support (!460)

From:	Ander Juaristi
Subject:	wget2 \| WIP: OpenSSL: OCSP support (!460)
Date:	Mon, 02 Dec 2019 16:37:48 +0000


Ander Juaristi created a merge request: 
https://gitlab.com/gnuwget/wget2/merge_requests/460

Branches: wget2-openssl-ajuaristi-ocsp to master
Author:    Ander Juaristi
Assignee: Ander Juaristi


Here comes, finally the OCSP implementation with the OpenSSL backend.

It's basically working, passes all the tests, and I expect future changes to be 
minor.

There are some noteworthy issues, I'd like to discuss before considering this 
not-WIP.

First, the OCSP test cert chain. I had to re-generate the whole cert chain and 
add the `serverAuth` flag to the OCSP certificates of the test suite. This is 
so because the same cert chain is used for the OCSP server and the HTTPS server 
in the `test-ocsp-server` test (the test spawns those two servers). OpenSSL 
will reject HTTPS certificates that don't have the `serverAuth` flag, whereas 
GnuTLS doesn't seem to care, at least by default. With this change, both test 
suites (OpenSSL and GnuTLS) pass to me.

There are some missing features, and I'll continue working on them and pushing 
new patches, hopefully, before new year.

 - OCSP stapling
 - Some stats
 - TFO not working on kernels <4.11 (issue #472 tracks this).

There are some untested features, I'd like to write tests for. These hold for 
both OpenSSL and GnuTLS backends: the `WGET_SSL_OCSP_DATE` (rejects OCSP 
response if it's older than 3 days) and `WGET_SSL_OCSP_NONCE` (sends a nonce in 
the OCSP request) are untested.

### Approver's checklist:

* [ ] The author has submitted the FSF Copyright Assignment and is listed in 
AUTHORS
* [ ] There is a test suite reasonably covering new functionality or 
modifications
* [ ] Function naming, parameters, return values, types, etc., are consistent 
with existing code
* [ ] This feature/change has adequate documentation added (if appropriate)
* [ ] No obvious mistakes / misspelling in the code

-- 
Reply to this email directly or view it on GitLab: 
https://gitlab.com/gnuwget/wget2/merge_requests/460
You're receiving this email because of your account on gitlab.com.

[Prev in Thread]

Current Thread

[Next in Thread]

wget2 | WIP: OpenSSL: OCSP support (!460), Ander Juaristi <=
- Re: wget2 | WIP: OpenSSL: OCSP support (!460), Ander Juaristi, 2019/12/02
- Re: wget2 | WIP: OpenSSL: OCSP support (!460), Tim Rühsen, 2019/12/03
- Re: wget2 | WIP: OpenSSL: OCSP support (!460), Tim Rühsen, 2019/12/03

Prev by Date: Re: wget2 | Building fails with "library -lnsl-lintl: not found" (#492)
Next by Date: Re: wget2 | WIP: OpenSSL: OCSP support (!460)
Previous by thread: Re: wget2 | Building fails with "library -lnsl-lintl: not found" (#492)
Next by thread: Re: wget2 | WIP: OpenSSL: OCSP support (!460)
Index(es):
- Date
- Thread