I'd be happy to, if you engage me as a contractor. -Kyle H
On Tue, Apr 14, 2009 at 12:26 PM, Vijay Kothamasu (vikotham) <vikot...@cisco.com> wrote: > Hi Kyle, > > Thanks for your valuable inputs, find my response inline. > > > Then don't return from the original SSL_CTX_set_verify callback until you > either: > a) receive a valid OCSP response that says it's okay, > b) receive a valid OCSP response that says it's not okay, > c) receive an invalid OCSP response (i.e., OCSP failure), or > d) time out. > [Vijay] Blocking in the callback function is not feasible as our product > operates in a single thread model for what so ever reason may be. If we > block in the callback function there will be huge number of other events > which will not be processed till we return from this function which is > really costly for our kind of scenario. > > You're perilously close to a "chicken and egg" problem here: > > 1) You need the certificate to check > 2) you cannot get the certificate to check until you attempt to make the > connection > 3) once you connect, you are stuck in a state machine where you haven't > checked the certificate. > [Vijay] You are very correct > > Some browsers try to handle this kind of situation by scanning HTML for > links and pre-loading them to the cache. These tend not to work all that > well. > > If you're returning asynchronously, then you also need to have a mechanism > to send asynchronous exceptions. > [Vijay] Could you please provide more details on this method? What these > exceptions? How to report the status through these exceptions > asynchronously? Please provide us a sample program and documentation > regarding the exceptions. Also do you fore see any issues with this kind of > approach? > > Either that, or you have to make it synchronous until the OCSP response is > returned. > [Vijay] I discussed with our team, Synchronous method is not feasible. > > Thanks again for your help. > > Regards > Vijay > > -----Original Message----- > From: Kyle Hamilton [mailto:aerow...@gmail.com] > Sent: Tuesday, April 14, 2009 7:57 AM > To: Vijay Kothamasu (vikotham) > Cc: openssl-users@openssl.org; Kamalakanta Palei (kpalei); Jagadish > Mynampati (jmynampa); Uma Sankar Panda (upanda) > Subject: Re: Query on OpenSSL for Certificate verification > > Then don't return from the original SSL_CTX_set_verify callback until you > either: > a) receive a valid OCSP response that says it's okay, > b) receive a valid OCSP response that says it's not okay, > c) receive an invalid OCSP response (i.e., OCSP failure), or > d) time out. > > You're perilously close to a "chicken and egg" problem here: > > 1) You need the certificate to check > 2) you cannot get the certificate to check until you attempt to make the > connection > 3) once you connect, you are stuck in a state machine where you haven't > checked the certificate. > > Some browsers try to handle this kind of situation by scanning HTML for > links and pre-loading them to the cache. These tend not to work all that > well. > > If you're returning asynchronously, then you also need to have a mechanism > to send asynchronous exceptions. Either that, or you have to make it > synchronous until the OCSP response is returned. > > -Kyle H > > On Mon, Apr 13, 2009 at 2:35 PM, Vijay Kothamasu (vikotham) > <vikot...@cisco.com> wrote: >> Hi Kyle, >> >> Sorry for the delayed response, I am just back form my Vacation. >> >> Thank you so much for your response and the information provided. >> >> But even with the SSL_CTX_set_verify() callback invocation, the result of >> the certificate validation need to be returned in the context of the >> callback function itself in a synchronous manner. Where as in our scenario, >> the cert validation status is reported back in an Asynchronous manner as I >> explained earlier. > >> >> I am just wondering how can I realize that scenario. >> >> Thanks again. >> >> Regards >> Vijay >> >> >> >> >> >> -----Original Message----- >> From: Kyle Hamilton [mailto:aerow...@gmail.com] >> Sent: Tuesday, April 07, 2009 12:26 PM >> To: openssl-users@openssl.org >> Cc: Kamalakanta Palei (kpalei); kvi...@gmail.com; Vijay Kothamasu >> (vikotham) >> Subject: Re: Query on OpenSSL for Certificate verification >> >> This is a protocol called OCSP, with its "designated responder" mechanism. >> >> If you want to implement it, call the OCSP functions with the DR address >> and the fields that OCSP needs during the SSL_CTX_set_verify() callback >> invocation; if you really need to, create two separate SSL_CTX contexts, one >> of which calls a function to check the certificate status, the other of >> which always passes (so that the DR certificate doesn't need to be in the >> client's local store). > >> >> Note that I consider this insecure. First, the denial of service >> potential (the DR goes down). Second, man-in-the-middle or redirection >> attacks (the DR is replaced by a bogus one). Third, the entire point of >> X.509 is to allow for clients to have all the information they need to >> verify certificates in the absence of an online authority. > >> >> For more information I suggest you read the cryptographic literature for >> the protocols that exist. >> >> -Kyle H >> >> On Mon, Apr 6, 2009 at 8:18 AM, Vijay Kothamasu (vikotham) >> <vikot...@cisco.com> wrote: >>> Hi, >>> >>> I am just wondering if there is a way to realize the following >>> scenario with the help of OpenSSL libraries, here is the brief >>> explanation in this regard. >>> >>> --------------------------------- >>> I have a client and Server who need to setup a secure connection >>> using TLS/SSL. But as part of handshake Server sends its certificate >>> to the Client. But Client doesn't have any certificates with it to >>> Authenticate the certificate, rather it needs to communicate (a >>> non-blocking call )with another entity(like Certificate Authority >>> (CA) >>> ) to get the certificate validated. This CA will look through its >>> list of certificates to authenticate the it and inform back to the >>> Client in an Asynchronous manner(may be some callback) that the >>> certificate is valid. Now the Client will proceed further with the >>> Server to complete the Handshake and setup the connection. >>> >>> Here is a pictorial description of this scenario for better clarity >>> >>> >>> --------------------------------- >>> >>> I went through the available documentation, to the best of my >>> understanding I couldn't find the library APIs(SSL/BIO/X509) to >>> realize the above scenario. >>> >>> Is there any way to fit in the above verification setup as part of >>> the handshake? It will be of great help if anybody can provide me the >>> pointers in this regard. >>> >>> Thanks for your help in advance. >>> >>> Regards >>> Vijay >> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
