OCSP stapling for Erlang/OTP

Posted 2018-07-11 18:42:50.698413

The last few days I’ve been working on a small patch for Erlang/OTP 21 that adds support for server-side OCSP stapling to the ssl application. It will take more work to get it into good enough shape for a PR, but for now I wanted to try it in the real world to see if I’m on the right track.

This post will show how OCSP stapling might work with Erlang TLS servers in general, and Phoenix in particular, if and when such a feature might be merged into a future OTP release. Feel free to follow along with the patched OTP linked to below, just don’t use it in production, please!

Staples?

OCSP stands for Online Certificate Status Protocol, a more modern approach to certificate revocation than unwieldy Certificate Revocation Lists (CRLs). Now some would argue that all certificate revocation is broken, and that neither CRLs nor OCSP are effective against man-in-the-middle attack with a compromised and revoked certificate, but let’s put that aside for now.

While more modern and efficient in some ways, OCSP has its own issues. A common criticism is the fact that it leaks personal information (browsing behaviour) to the issuing CA, through the OCSP status requests sent by the browsers. OCSP Stapling mitigates this concern: instead of the browser sending a status query from the user’s IP address, the server requests the OCSP response from the CA and sends it in-band as part of the TLS handshake.

Besides the privacy benefits, OCSP stapling also allows the server to cache the response and reuse it for all incoming connections. This eliminates the round-trip to to the OCSP server, reducing the load on the CA’s infrastructure and reducing the overall TLS session establishment latency.

Let’s have a look at the patch, and see what it would take to enable OCSP stapling in a Phoenix application.

Continue reading...

PSA: retiring TLS test domains

Posted 2018-07-11 07:30:04.473948

Please note that the TLS test domains on this server, as mentioned in these old posts, have been retired. As an alternative I would highly recommend https://badssl.com/, which offers many more test cases than this server ever did.

Dual cert RSA/ECDSA server with Erlang/OTP 21

Posted 2018-07-03 18:55:58.000000

In my previous post about Erlang/OTP 21 I neglected to mention one change in the ssl application:

OTP-15056    Application(s): ssl

             Deprecate ssl:ssl_accept/[1,2,3] in favour of
             ssl:handshake/[1,2,3]

At first glance this might look like a mere function rename, no big deal, but it turns out there is more to it than meets the eye. The new :ssl.handshake/[1,2,3] functions support an option to introspect the capabilities of the client and make last-minute adjustments to the server TLS parameters before proceeding with the handshake. One thing this allows us to do is present an ECDSA certificate to clients that can handle it, while falling back to an RSA certificate for those that can’t.

Before diving in, I just want to make this clear: this is not going to work with current versions of Phoenix, Plug, Cowboy, and other servers. This is not a new ssl socket option, it is a change in the way the API works. The old APIs are still there, and most applications will likely continue to use those old APIs for a while, until they drop support for pre-21 OTP versions. So with that out of the way, let’s get started…

Continue reading...

Older posts