[Libwebsockets] [External] Re: OSCP Stapling support for libwebsockets

Beach, Chris Chris.Beach at resideo.com
Tue Jan 28 22:31:05 CET 2020


I have working on a path in my personal  backlog now. 


-----Original Message-----
From: Andy Green <andy at warmcat.com> 
Sent: Friday, December 13, 2019 10:28 AM
To: Beach, Chris <chris.beach at resideo.com>; libwebsockets at ml.libwebsockets.org
Subject: [External] Re: [Libwebsockets] OSCP Stapling support for libwebsockets



On 12/11/19 10:18 PM, Beach, Chris wrote:
> I am using libwebsockets, with openssl for backend TLS support, on an 
> embedded device communicating only with our servers.
> 
> I would like to enforce certificate verification to ensure the 
> certificate has not been revoked utilizing OSCP stapling.
> 
> We are validating the certificate is signed by a trusted authrority, 
> but can not determine if the certificate has been revoked.
> 
> Is this possible?

You mean you want to check if the trusted authority that signed the OCSP ticket from the server has had its certificate revoked?

You need to fish out the url from the cert whose signature you are trusting, for libwebsockets.org it's

https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Focsp.int-x3.letsencrypt.org&data=02%7C01%7CChris.Beach%40resideo.com%7C4eefeb6ddd97420d693108d77fe11e97%7C6ebe80ab81af47a1851df70413b65873%7C0%7C0%7C637118477187993526&sdata=bXpgaNDZgNkvRK8W7VTVDqC6roX96GDcZUTwh1ImWKI%3D&reserved=0

And use OCSP protocol to query it, unfortunately that's a pile of ASN.1

https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc6960%23section-4.1.1&data=02%7C01%7CChris.Beach%40resideo.com%7C4eefeb6ddd97420d693108d77fe11e97%7C6ebe80ab81af47a1851df70413b65873%7C0%7C0%7C637118477187993526&sdata=KXPuZD%2BS2BEU2LQUPWJ9C%2B3oT9miuB9MMFJNxmWN8g8%3D&reserved=0

OpenSSL seems to have a wrapper

https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FOCSP_resp_find.html&data=02%7C01%7CChris.Beach%40resideo.com%7C4eefeb6ddd97420d693108d77fe11e97%7C6ebe80ab81af47a1851df70413b65873%7C0%7C0%7C637118477187993526&sdata=f30DB8zgjS%2BnhKJaIvN6igEjGb4gV25eNlnTclw%2FLK8%3D&reserved=0

No idea if mbedtls has it or not, it looks like a wishlist item for 30 months

https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FARMmbed%2Fmbedtls%2Fissues%2F880&data=02%7C01%7CChris.Beach%40resideo.com%7C4eefeb6ddd97420d693108d77fe11e97%7C6ebe80ab81af47a1851df70413b65873%7C0%7C0%7C637118477187993526&sdata=dA9%2FPvmot1H5HDSH8HvUiVF2P9dkdimi2tG0Q%2FsMKXY%3D&reserved=0

Anyway no, I haven't needed this and haven't integrated it in lws.  If you want to do that, a patch is very welcome.

-Andy

> Thanks
> 
> Chris
> 
> 
> _______________________________________________
> Libwebsockets mailing list
> Libwebsockets at ml.libwebsockets.org
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flibw
> ebsockets.org%2Fmailman%2Flistinfo%2Flibwebsockets&data=02%7C01%7C
> Chris.Beach%40resideo.com%7C4eefeb6ddd97420d693108d77fe11e97%7C6ebe80a
> b81af47a1851df70413b65873%7C0%7C0%7C637118477187993526&sdata=oCLkx
> YtuaPZuTtVb6oesNteQypO%2FIshqvYH0qqmf14s%3D&reserved=0
> 


More information about the Libwebsockets mailing list