lua-resty-core icon indicating copy to clipboard operation
lua-resty-core copied to clipboard

Published 20 hours ago verified publisher icon openresty

OCSP nextupdate

Open ElvinEfendi opened this issue 4 years ago • 5 comments

I hereby granted the copyright of the changes in this pull request to the authors of this lua-resty-core project.

Fixes https://github.com/openresty/lua-resty-core/issues/75 Depends on https://github.com/openresty/lua-nginx-module/pull/1694

This is a sister PR of https://github.com/openresty/lua-nginx-module/pull/1694.

I can not find the necessary keys to create another OCSP response with nextUpdate set. I can do the whole thing from ground up and include all the necessary keys and certs - but if there's already a way to sign another OCSP response for the existing certs in t/ it would be better to use that so that I can add more meaningful test cases. UPDATE: I included all the necessary test fixtures and also steps to (re)generate them.

ElvinEfendi avatar Apr 18 '20 14:04 ElvinEfendi

Here's the local test run:

> lua-resty-core (ocsp-nextupdate)$ docker run -w /app --rm -it -v ${PWD}:/app lua_ngx t/ocsp.t
t/ocsp.t .. 1/258 TEST 17: no status req from client - WARNING: killing the child process 21 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 13/258 TEST 16: good status req from client - WARNING: killing the child process 34 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 29/258 TEST 18: good OCSP response with nextUpdate present - WARNING: killing the child process 47 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 48/258 TEST 5: get OCSP responder (truncated) - WARNING: killing the child process 60 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 57/258 TEST 4: get OCSP responder (issuer cert not next to the leaf cert) - WARNING: killing the child process 73 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 77/258 TEST 6: create OCSP request (good) - WARNING: killing the child process 86 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 83/258 TEST 9: create OCSP request (no issuer cert in the chain) - WARNING: killing the child process 99 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 97/258 TEST 1: get OCSP responder (good case) - WARNING: killing the child process 112 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 116/258 TEST 8: create OCSP request (empty string cert chain) - WARNING: killing the child process 125 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 123/258 WARNING: TEST 8: create OCSP request (empty string cert chain) - 2020/04/18 20:44:43 [crit] 138#0: *3 SSL_do_handshake() failed (SSL: error:1417A179:SSL routines:tls_post_process_client_hello:cert cb error) while SSL handshaking, client: unix:, server: unix:/app/t/servroot/html/nginx.sock at /usr/local/share/perl/5.22.1/Test/Nginx/Socket.pm line 1236.
t/ocsp.t .. 129/258 WARNING: TEST 8: create OCSP request (empty string cert chain) - 2020/04/18 20:44:43 [crit] 138#0: *7 SSL_do_handshake() failed (SSL: error:1417A179:SSL routines:tls_post_process_client_hello:cert cb error) while SSL handshaking, client: unix:, server: unix:/app/t/servroot/html/nginx.sock at /usr/local/share/perl/5.22.1/Test/Nginx/Socket.pm line 1236.
TEST 12: validate good OCSP response - no certs in response - WARNING: killing the child process 138 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 135/258 TEST 10: validate good OCSP response - WARNING: killing the child process 151 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 149/258 TEST 11: fail to validate OCSP response - no issuer cert - WARNING: killing the child process 164 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 163/258 TEST 14: fail to validate OCSP response - OCSP response signed by an unknown cert and the OCSP response does not contain the unknown cert - WARNING: killing the child process 177 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 184/258 TEST 13: validate OCSP response - OCSP response signed by an unknown cert and the OCSP response contains the unknown cert - WARNING: killing the child process 190 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 198/258 TEST 19: revoked OCSP response with nextUpdate present - WARNING: killing the child process 203 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 205/258 TEST 7: create OCSP request (buffer too small) - WARNING: killing the child process 216 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 219/258 TEST 2: get OCSP responder (not found) - WARNING: killing the child process 229 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 231/258 TEST 15: fail to validate OCSP response - OCSP response returns revoked status - WARNING: killing the child process 242 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. 245/258 WARNING: TEST 15: fail to validate OCSP response - OCSP response returns revoked status - 2020/04/18 20:45:08 [crit] 255#0: *3 SSL_do_handshake() failed (SSL: error:1417A179:SSL routines:tls_post_process_client_hello:cert cb error) while SSL handshaking, client: unix:, server: unix:/app/t/servroot/html/nginx.sock at /usr/local/share/perl/5.22.1/Test/Nginx/Socket.pm line 1236.
t/ocsp.t .. 252/258 WARNING: TEST 15: fail to validate OCSP response - OCSP response returns revoked status - 2020/04/18 20:45:09 [crit] 255#0: *7 SSL_do_handshake() failed (SSL: error:1417A179:SSL routines:tls_post_process_client_hello:cert cb error) while SSL handshaking, client: unix:, server: unix:/app/t/servroot/html/nginx.sock at /usr/local/share/perl/5.22.1/Test/Nginx/Socket.pm line 1236.
END - WARNING: killing the child process 255 with force... at /usr/local/share/perl/5.22.1/Test/Nginx/Util.pm line 581.
t/ocsp.t .. ok
All tests successful.
Files=1, Tests=258, 54 wallclock secs ( 0.08 usr  0.02 sys +  1.49 cusr  1.92 csys =  3.51 CPU)
Result: PASS

ElvinEfendi avatar Apr 18 '20 14:04 ElvinEfendi

cc @agentzh @thibaultcha

ElvinEfendi avatar Apr 28 '20 15:04 ElvinEfendi

Can I get some feedback on this?

ElvinEfendi avatar May 29 '20 15:05 ElvinEfendi

@ElvinEfendi Sorry for the delay on our side. Please check out my review comments. Thanks!

agentzh avatar Jun 05 '20 20:06 agentzh

Hi,

Any news on this PR ? I would like to contribute but I'm afraid it's out of my league.

Having access to the nextUpdate field will be useful to cache the OCSP responses. I don't see how we can activate OCSP in Openresty without caching any of the OCSP responses at all, it will be terrible on a server with some heavy trafic.

Right now I'm thinking about managing the OCSP requests/responses without Openresty, by offloading the responsability to another service and storing the OCSP responses inside a Redis DB that Openresty will use too. It may be more scalable on a server with a lot of certificates and/or differents domains on it (like a load balancer for instance).

madrzejewski avatar Dec 02 '21 17:12 madrzejewski