Недостатком Сшивание ocsp и должны Штапель и почему отзыва сертификатов продолжает нарушаться

По | Октября 5, 2017

Сегодня из серверов ocsp позволяет шифровать были оффлайн на некоторое время. Это повлекло за гораздо больше хлопот, чем оно должно быть, как итог в принципе у нас есть все прикладные науки там, чтобы бороться с таких инцидентов. Nonetheless resulting from failures in how they’re carried out they dont actually work.

CRL and OCSP two applied sciences that dont work

CRL and OCSP two applied sciences that dont work

Certificates might be revoked. That signifies that for some cause the certificates ought to not be used. A typical situation is when a certificates proprietor learns that his servers have been hacked and his non-public keys stolen. On this case its good to keep away from that the stolen keys and their corresponding certificates can nonetheless be used. Subsequently a TLS shopper like a browser ought to test that a certificates offered by a server shouldn’t be revoked.

Thats the idea not much less than. Nonetheless the historical past of certificates revocation is a historical past of two applied sciences that dont actually work.

One methodology are certificates revocation lists (CRLs). Its fairly easy: A certificates authority provides an inventory of certificates which can be revoked. This has an apparent limitation: These lists can develop. On condition that a revocation test must occur throughout a connection its apparent that that is non-workable in any practical scenario.

The second methodology known as OCSP (Online Certificates Standing Protocol). Right here a shopper can question a server concerning the standing of a single certificates and can get a signed reply. This avoids the scale downside of CRLs, but it surely nonetheless has quite so much of issues. On condition that connections ought to be quick its fairly a excessive price for a shopper to make a connection to an OCSP server throughout every handshake. Its additionally regarding for privateness, because it provides the operator of an OCSP server plenty of information.

However theres a extra extreme downside: What occurs if an OCSP server shouldn’t be out there? From a safety viewpoint one could say that a certificates that cant be OCSP-checked ought to be thought of invalid. Nonetheless OCSP servers are far too unreliable. So virtually all shoppers implement OCSP in smooth fail mode (or not at all). Smooth fail signifies that if the OCSP server shouldn’t be out there the certificates is taken into account valid.

That makes the entire OCSP idea pointless: If an attacker tries to abuse a stolen, revoked certificates he can simply block the connection to the OCSP server and thus a shopper cant learn that its revoked. Resulting from this inherent safety failure Chrome determined to disable OCSP checking altogether. As a workaround they’ve one thing known as CRLsets and Mozilla has one thing comparable known as OneCRL, which is basically a giant revocation listing for vital revocations managed by the browser vendor. Nonetheless this might be a weak workaround that doesnt cowl most certificates.

OCSP Stapling and Should Staple to the rescue?

There are two applied sciences that might repair this: OCSP Stapling and Must-Staple.

OCSP Stapling strikes the querying of the OCSP server from the shopper to the server. The server will get OCSP replies after which sends them throughout the TLS handshake. This has a quantity of advantages: It avoids the latency and privateness implications of OCSP. It additionally permits surviving quick downtimes of OCSP servers, as a outcome of a TLS server can cache OCSP replies (theyre normally legitimate for a quantity of days).

However it nonetheless doesn’t resolve the safety situation: If an attacker has a stolen, revoked certificates it could be used with out Stapling. The browser wont find out about it and can question the OCSP server, this request can once more be blocked by the attacker and the browser will settle for the certificate.

Therefore an extension for certificates has been launched that permits us to require Stapling. Its normally known as OCSP Must-Staple and is outlined in https://tools.ietf.org/html/rfc7633 RFC 7633 (although the RFC doesnt point out the title Must-Staple, which could cause some confusion). If a browser sees a certificates with this extension that is used with out OCSP Stapling it shouldnt settle for it.

So we ought to be positive. With OCSP Stapling we are in a position to keep away from the latency and privateness problems with OCSP and we are in a position to keep away from failing when OCSP servers have quick downtimes. With OCSP Must-Staple we repair the safety issues. No extra smooth fail. All good, право?

The OCSP Stapling implementations of Apache and Nginx are broken

Ну, right here come the implementations. Whereas plenty of protocols use TLS, the most typical use case is the net and HTTPS. In line with Netcraft statistics by far the largest share of energetic websites on the Web run on Apache (о 46%), adopted by Nginx (о 20 %). Its cheap to say that if these applied sciences ought to present an answer for revocation they want to be usable with the main merchandise in that space. On the server facet that is solely OCSP Stapling, as OCSP Should Staple solely must be checked by the client.

What would you count on from a working OCSP Stapling implementation? It ought to attempt to keep away from a state of affairs the place its unable to ship out a legitimate OCSP response. Thus roughly what it ought to do is to fetch a legitimate OCSP response as quickly as potential and cache it until it will get a model new one or it expires. It ought to moreover attempt to fetch a model new OCSP response lengthy earlier than the outdated one expires (ideally a quantity of days). And it ought to by no means throw away a legitimate response until it has a extra moderen one. Google developer Ryan Sleevi wrote a detailed description of what a correct OCSP Stapling implementation could look like.

Apache does none of this.

If Apache tries to resume the OCSP response and will get an error from the OCSP server e. г. as a outcome of its at the moment malfunctioning it would throw away the present, nonetheless legitimate OCSP response and exchange it with the error. It would then ship out stapled OCSP errors. Which makes zero sense. Firefox will present an error if it sees this. This has been reported in 2014 and remains to be unfixed.

Now theres an choice in Apache to keep away from this habits: SSLStaplingReturnResponderErrors. Its defaulting to on. Should you swap it off you wont get sane habits (that is use the nonetheless legitimate, cached response), as a substitute Apache will disable Stapling for the time it will get errors from the OCSP server. Thats higher than sending out errors, but it surely clearly makes utilizing Should Staple a no go.

It will get even crazier. I’ve set this feature, however this morning I nonetheless obtained complaints that Firefox customers have been seeing errors. Thats as a outcome of on this case the OCSP server wasnt sending out errors, it was utterly unavailable. For that state of affairs Apache has a function that may pretend a tryLater error to ship out to the shopper. If youre questioning how that makes any sense: It doesnt. The tryLater error of OCSP isnt helpful in any respect in TLS, since you cant strive later throughout a handshake which solely lasts seconds.

This is managed by an various choice: SSLStaplingFakeTryLater. Nonetheless if we learn the documentation it says Solely efficient ifSSLStaplingReturnResponderErrorsis additionally enabled. So if we disabled SSLStapingReturnResponderErrors this shouldnt matter, правильное? Эффективно: The documentation is wrong.

There are extra issues: Apache doesnt get the OCSP responses on startup, it solely fetches them throughout the handshake. This causes additional latency on the primary connection and will increase the chance of hitting a state of affairs the place you dont have a legitimate OCSP response. Additionally cached OCSP responses dont survive server restarts, theyre saved in an in-memory cache.

Theres at the moment no solution to configure Apache to deal with OCSP stapling in an inexpensive manner. Heres the configuration I take benefit of, which can not much less than be positive that it wont ship out errors and cache the responses a bit longer than it does by default:

SSLStaplingCache shmcb:/var/tmp/ocsp-stapling-cache/cache(128000000)
SSLUseStapling on
SSLStaplingResponderTimeout 2
SSLStaplingReturnResponderErrors off
SSLStaplingFakeTryLater off
SSLStaplingStandardCacheTimeout 86400

Im much less acquainted with Nginx, however from what I hear it isnt significantly better both. In line with https://blog.crashed.org/nginx-stapling-busted/ this blogpost it doesnt fetch OCSP responses on startup and can ship out the primary TLS connections with out stapling even when its enabled. Heres a blog publish that recommends to work round this by connecting to all configured hosts after the server has started.

To summarize: That is all a giant mess. Each Apache and Nginx have OCSP Stapling implementations which can be primarily damaged. So lengthy as youre utilizing both of these then enabling Must-Staple is a dependable solution to shoot your self within the foot and get into hassle. Dont allow it should you plan to make use of Apache or Nginx.

Certificate revocation is damaged. It has been damaged because the invention of SSL and its nonetheless damaged. OCSP Stapling and OCSP Must-Staple could repair it in principle. However that may require working and secure implementations in probably the most extensively used server products.


Пожалуйста, проверьте это отличный сервис по: http://www.test-net.org/services/network-mask-calculator/ меню или посетить бесплатные услуги

[Всего голосов: 0    Средний: 0/5]

Оставить ответ

Ваш адрес электронной почты не будет опубликован. Обязательные поля помечены *