Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCSP stapling support can be used to optimize TLS connections #33377

Closed
Tracked by #64488
vincentkam opened this issue Mar 9, 2020 · 8 comments
Closed
Tracked by #64488

OCSP stapling support can be used to optimize TLS connections #33377

vincentkam opened this issue Mar 9, 2020 · 8 comments
Assignees
@jeffhandley @bartonjs
Labels
area-System.Security Cost:L Work that requires one engineer up to 4 weeks Priority:2 Work that is important, but not critical for the release Team:Libraries User Story A single user-facing feature. Can be grouped under an epic.
Milestone
7.0.0

Comments

@vincentkam
Copy link

vincentkam commented Mar 9, 2020
edited
Loading

Hello :)

Are there any plans to expand support for OCSP stapling? Using WireShark, I see that the status_request TLS extension is only set on MacOS on .Net Core >= 2.0 after setting checkCertificateRevocation to true when calling SslStream.AuthenticateAsClient. On Linux and Windows, there appears to be no stapling support, even though my loose understanding is that both OpenSSL and Secure Channel support stapling.

The reason I'm asking for expanded OCSP stapling support is that we would like the MongoDB .NET/C# driver to have support for stapled OCSP on Linux and Windows (our goal is to have all MongoDB drivers fully support OCSP).
@Dotnet-GitSync-Bot
Copy link
Collaborator

I couldn't add an area label to this Issue.

Checkout this page to find out which area owner to ping, or please add exactly one area label to help train me in the future.

@Dotnet-GitSync-Bot Dotnet-GitSync-Bot added the untriaged New issue has not been triaged by the area owner label Mar 9, 2020
@karelz
Copy link
Member

karelz commented Mar 12, 2020

@bartonjs this looks like something crypto layer should support first. Or do we need to do something special in SslStream?

@bartonjs
Copy link
Member

@karelz Both 😄

For Windows, it's entirely going to be SslStream. Presumably there's just a flag or option you set for SChannel and it does it.

For Linux, things are more involved:

  • We'd need to expose API (shared source or public) to either get a current OCSP response from the cache or build the request and get the response (and cache it if appropriate), which also tells you the expiration time of the response.
    • It's not just "here's the stuff I used for determining revocation" since it needs to be OCSP-only, and not use CRL.
  • SslStream would need to add that to the SSL* or SSL_CTX* or wherever it goes.

I'd be OK with doing the "so, give me OCSP data to staple" as internal to the Linux PAL for SslStream right now; and if there's time and demand we can make a public version of it.

@Tratcher Tratcher mentioned this issue Mar 25, 2020
Closed
@davidfowl davidfowl mentioned this issue May 5, 2020
Closed
14 tasks
@bartonjs bartonjs added this to the 6.0.0 milestone Jul 8, 2020
@bartonjs bartonjs removed the untriaged New issue has not been triaged by the area owner label Jul 8, 2020
@ayende
Copy link
Contributor

ayende commented Nov 1, 2020

Would like to add that this would be a very welcome feature for us as well.
CRL usage as it current stands leave us with either disable it or suffer random downtime.

https://ayende.com/blog/192261-B/the-failure-of-a-computer-you-didnt-even-know-existed?

@jeffhandley jeffhandley added the Priority:3 Work that is nice to have label Jan 14, 2021
@bartonjs bartonjs added the Cost:L Work that requires one engineer up to 4 weeks label Jan 15, 2021
@jeffhandley jeffhandley modified the milestones: 6.0.0, 7.0.0 Jun 17, 2021
@jeffhandley jeffhandley changed the title OCSP stapling support OCSP stapling support can be used to optimize TLS connections Jan 9, 2022
@jeffhandley jeffhandley added the User Story A single user-facing feature. Can be grouped under an epic. label Jan 9, 2022
@jeffhandley jeffhandley mentioned this issue Jan 9, 2022
Closed
19 tasks
@jeffhandley jeffhandley mentioned this issue Jan 29, 2022
Closed
37 tasks
@adityamandaleeka
Copy link
Member

@jeffhandley Just curious, should this still be at priority 3 given that we have a partner ask for it?

@jeffhandley jeffhandley added Priority:2 Work that is important, but not critical for the release and removed Priority:3 Work that is nice to have labels Feb 28, 2022
@bartonjs bartonjs mentioned this issue Mar 22, 2022
Merged
@bartonjs bartonjs mentioned this issue May 26, 2022
Merged
@jeffhandley
Copy link
Member

@bartonjs Is there anything further to do on this issue now that #67011 and #69833 have been merged?

@bartonjs
Copy link
Member

bartonjs commented Jun 3, 2022

There's still a tweak and test for Windows, but Linux is done.

@bartonjs bartonjs mentioned this issue Jul 2, 2022
Merged
@bartonjs
Copy link
Member

This work is believed to be complete, across #67011, #69833, and #71570.

If you're reading this issue, using .NET 7 RC1 or newer, and disagree... please open a new issue with details 😄

@ghost ghost locked as resolved and limited conversation to collaborators Aug 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jeffhandley jeffhandley

@bartonjs bartonjs

Labels
area-System.Security Cost:L Work that requires one engineer up to 4 weeks Priority:2 Work that is important, but not critical for the release Team:Libraries User Story A single user-facing feature. Can be grouped under an epic.
Projects
None yet
Milestone
7.0.0
Development

No branches or pull requests
8 participants
@ayende @adityamandaleeka @jeffhandley @karelz @jkotas @bartonjs @vincentkam @Dotnet-GitSync-Bot