boringssl

History

David Benjamin 103ed08549 Implement legacy OCSP APIs for libssl. Previously, we'd omitted OpenSSL's OCSP APIs because they depend on a complex OCSP mechanism and encourage the the unreliable server behavior that hampers using OCSP stapling to fix revocation today. (OCSP responses should not be fetched on-demand on a callback. They should be managed like other server credentials and refreshed eagerly, so temporary CA outage does not translate to loss of OCSP.) But most of the APIs are byte-oriented anyway, so they're easy to support. Intentionally omit the one that takes a bunch of OCSP_RESPIDs. The callback is benign on the client (an artifact of OpenSSL reading OCSP and verifying certificates in the wrong order). On the server, it encourages unreliability, but pyOpenSSL/cryptography.io depends on this. Dcument that this is only for compatibility with legacy software. Also tweak a few things for compatilibility. cryptography.io expects SSL_CTX_set_read_ahead to return something, SSL_get_server_tmp_key's signature was wrong, and cryptography.io tries to redefine SSL_get_server_tmp_key if SSL_CTRL_GET_SERVER_TMP_KEY is missing. Change-Id: I2f99711783456bfb7324e9ad972510be8a95e845 Reviewed-on: https://boringssl-review.googlesource.com/28404 Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>	2018-05-11 22:21:26 +00:00
..
openssl	Implement legacy OCSP APIs for libssl.	2018-05-11 22:21:26 +00:00

David Benjamin 103ed08549 Implement legacy OCSP APIs for libssl.

Previously, we'd omitted OpenSSL's OCSP APIs because they depend on a
complex OCSP mechanism and encourage the the unreliable server behavior
that hampers using OCSP stapling to fix revocation today. (OCSP
responses should not be fetched on-demand on a callback. They should be
managed like other server credentials and refreshed eagerly, so
temporary CA outage does not translate to loss of OCSP.)

But most of the APIs are byte-oriented anyway, so they're easy to
support. Intentionally omit the one that takes a bunch of OCSP_RESPIDs.

The callback is benign on the client (an artifact of OpenSSL reading
OCSP and verifying certificates in the wrong order). On the server, it
encourages unreliability, but pyOpenSSL/cryptography.io depends on this.
Dcument that this is only for compatibility with legacy software.

Also tweak a few things for compatilibility. cryptography.io expects
SSL_CTX_set_read_ahead to return something, SSL_get_server_tmp_key's
signature was wrong, and cryptography.io tries to redefine
SSL_get_server_tmp_key if SSL_CTRL_GET_SERVER_TMP_KEY is missing.

Change-Id: I2f99711783456bfb7324e9ad972510be8a95e845
Reviewed-on: https://boringssl-review.googlesource.com/28404
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>

2018-05-11 22:21:26 +00:00

openssl

Implement legacy OCSP APIs for libssl.

2018-05-11 22:21:26 +00:00