Open
Bug 811329
Opened 12 years ago
Updated 1 year ago
Extend selfserv to implement OCSP stapling
Categories
(NSS :: Tools, enhancement, P5)
Tracking
(Not tracked)
NEW
People
(Reporter: KaiE, Assigned: KaiE)
References
Details
Attachments
(1 file)
|
30.36 KB,
patch
|
Details | Diff | Splinter Review |
We should extend selfserv to support OCSP stapling for testing purposes.
I propose to start with a very simple approach, that doesn't need an external connection to an OCSP server.
If the NSS database used by selfserv contains the CA's private key, then selfserv shall be able to create its own OCSP response.
|
Assignee | |
Comment 1•12 years ago
|
||
In addition to selfserv code, it's also necessary to implement the server side of the cert_status handshake protocol in libSSL.
I'm attaching a first working patch that implements both.
|
|
Assignee | |
Comment 2•12 years ago
|
||
Assignee: nobody → kaie
|
|
Assignee | |
Comment 3•12 years ago
|
||
Note the attached patch isn't cleaned up yet, and it might contain snippets that belong elsewhere, and of course, everything depends on the work from bug 360420. So, this patch serves mostly as a backup, at this time.
In order to test this mode of selfserv, which creates the OCSP response on its own
(without talking to an external OCSP server (yet) for simplification purposes),
I need a NSS database that contains the private keys for both the server cert and for the CA that issued the server cert. I want to create a new certificate database "stapling" as part of the test suite, which copies the "server" directory to the new directory "stapling", and imports the CA's private key from the "CA" directory.
cp server -> stapling
cd stapling
pk12util -d ../CA/ -o ca.p12 -n TestCA -K nss -W nss
pk12util -i ca.p12 -d . -K nss -W nss
|
||
Updated•2 years ago
|
Severity: normal → S3
|
||
Updated•1 year ago
|
Severity: S3 → N/A
Type: defect → enhancement
Priority: -- → P5
You need to log in
before you can comment on or make changes to this bug.
Description
•