maddy icon indicating copy to clipboard operation
maddy copied to clipboard

Published 20 hours ago verified publisher icon foxcpp

Add OCSP stapling for both client and server

Open theo546 opened this issue 3 years ago • 8 comments

Use case

Introduce an OCSP stapling system so that Maddy can check the certificates of servers it's connecting to, but also send an OCSP reponse of the certificate the mail server is currently using when an e-mail is being received.

That would be a killer feature and Maddy would be the "second" known mail server to have such a feature!

Your idea for a solution

I have no idea for a solution as I am not good enough with the Go language to provide anything worthful.

  • [ ] I'm willing to help with the implementation

theo546 avatar Jun 26 '21 01:06 theo546

For client, we would need to have an OCSP verifier which does not seem to be available in the standard library or x/crypto: https://github.com/golang/go/issues/40017 And there does not seem to be a reasonably complete verification implementation on GitHub.

Once one is available - it should be trivial to plug it into maddy and have OCSP verification working.

foxcpp avatar Jun 27 '21 15:06 foxcpp

As for stapling OCSP responses on server side, this is something we could probably work on. Need to study how caddy does it and see if we can share any code.

foxcpp avatar Jun 27 '21 15:06 foxcpp

I wonder if we can tear out our TLS management code and replace it with certmagic (https://github.com/caddyserver/certmagic) that also seems to implement OCSP stapling in addition to ACME (thus we will also solve #3).

foxcpp avatar Jun 27 '21 16:06 foxcpp

Otherwise the code to steal is https://github.com/caddyserver/certmagic/blob/eba05a818ed35af0d015b6799486afff704ffa28/ocsp.go#L31

foxcpp avatar Jun 27 '21 16:06 foxcpp

While I believe it is unfeasible for us to fully replace our TLS management code with Certmagic, I believe we can integrate it into tls.loader.file good enough so it could handle OCSP stapling for us. I will experiment with it while implementing #3.

foxcpp avatar Jul 12 '21 16:07 foxcpp

tls.loader.acme introduced by 93cf4f231a4e23ea7d6fef642024b027b39e995c supports OCSP stapling.

foxcpp avatar Jul 13 '21 09:07 foxcpp

That's amazing! You managed to implement a feature like that in no time, that's amazing!

I got a question though, does OCSP stapling works when using certificates generated by an external software (eg: acme.sh)?

theo546 avatar Jul 28 '21 17:07 theo546

Yeah. That's the problem. It works only for certificates automatically obtained using built-in ACME client now.

foxcpp avatar Jul 28 '21 18:07 foxcpp