Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFE] CRL/OCSP checks for TLS #443

Open
jirib opened this issue Apr 10, 2014 · 13 comments
Open

[RFE] CRL/OCSP checks for TLS #443

jirib opened this issue Apr 10, 2014 · 13 comments
Assignees
@poolpOrg
Labels
feature request

Comments

@jirib
Copy link

jirib commented Apr 10, 2014

With recent heartbleed OpenSSL bug, topic about revoking certs has been raised. If your setup is compromised one could still be MITMed without revoking old keys.

Postfix does not do any CRL/OCSP checks for TLS - https://postfix.1071664.n5.nabble.com/TLS-Certificate-signature-failure-what-is-the-reason-td62435.html#a62502

Maybe OpenSMTPd could be one giving the trend.
@poolpOrg
Copy link
Member

this will be worked out soon, when LibreSSL development improves a bit the current situation.

CRL/OCSP is a major major major pain in the ass atm

@poolpOrg poolpOrg self-assigned this Jun 11, 2014
@ArchangeGabriel
Copy link

What is the status of this issue? OCSP is implemented in other projects, like nginx for instance. ;)

@poolpOrg
Copy link
Member

poolpOrg commented May 3, 2016

ticket is pending, feel free to give a try at implementing it until we manage to

@ArchangeGabriel
Copy link

Also thought I would just write here that OCSP Stapling on OpenSMTPD side should be part of this OCSP support, and allowing to specify resolver should be considered too. ;)

@jirib
Copy link
Author

jirib commented Nov 3, 2016

OCSP Stapling just hit OpenBSD tree, libtls and nc, so maybe opensmtpd would benefit from this.

@poolpOrg
Copy link
Member

poolpOrg commented Nov 7, 2016

Unfortunately, OpenSMTPD can't use libtls yet as we still support OpenSSL :-/

@MrSorcus
Copy link

Up. Any news on this?

@ArchangeGabriel
Copy link

One workaround I’m going to try soon is to let e.g. nginx handle the TLS part of the connection, though that only works when receiving, not when relaying (I’m not sure this can be done, but in any case would likely require more work).

@ArchangeGabriel ArchangeGabriel mentioned this issue May 18, 2018
Closed
@poolpOrg
Copy link
Member

poolpOrg commented Jun 5, 2019

work has begun to switch OpenSMTPD to libtls which will solve this issue.

stay tuned.

@poolpOrg
Copy link
Member

I have written the code but waiting for a LibreSSL hacker to confirm I'm doing the right thing :-)

@poolpOrg
Copy link
Member

libtls branch has switched to ocsp aware keypair loading.

I'm waiting for a diff to be committed to LibreSSL before I can test this for real outside of my laptop and close the ticket.

@ArchangeGabriel
Copy link

What is the status here now that OpenSMTPD uses libtls? OCSP Stapling (on server side) and checking (on client side) is supported by exim afaik, not sure about postfix, but having it in OpenSMTPD would be nice. ;)

PS: Just to be clear, I’m not necessarily asking for an answer from @poolpOrg, but since @omar-polo revived the project, maybe they would know about this?

@poolpOrg
Copy link
Member

poolpOrg commented Aug 3, 2023

Hmmm, well the code is already written but is very outdated, I'm not even sure it can merge.

Now that someone volunteered to take care of portable, I may be tempted to submit back some features upstream, including this one, I'll see if I can get around it next week.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@poolpOrg poolpOrg

Labels
feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jirib @ArchangeGabriel @poolpOrg @MrSorcus