OCSP stapling: responder proxy setting

#1
So far I couldn't find a solution to allow OCSP lookups for OCSP stapling in a locked down environment, e.g. with an outbound firewall configured.
Explicitly allowing outgoing requests for OCSP responders is not an option, as IPs for these are not static and can rapidly change (see for example Let's Encrypt which uses the Akamai CDN).

I do have a separate HTTP proxy available for outgoing requests to whitelisted URLs. Using the proxy for OCSP requests would be the easiest option, but it seems there is no OCSP proxy setting available (yet).

Edit: I also tested an explicit OCSP responder proxy (that parses the request and response payloads) in combination with the HTTPS listener OCSP Responder setting, also to no avail. Requests are naturally performed with the Host header containing the OCSP Responder setting URL and, as expected, looking at RFC 6960 there is no OCSP responder URL in the request payload that could be used by the proxy alternatively.

The most flexible solution might thus be an additional setting OCSP Responder Proxy that takes a hostname as an argument and, if set, OCSP requests are built with the Host header as before (either read from certificate or overridden by the OCSP Responder setting), but the (so far unchanged) request is sent to the configured OCSP proxy host instead.
Technically I guess this might come down to a call of m_pHttpFetch->setProxyServerAddr() in SslOcspStapling::createRequest() with a new proxy configuration property that is set from the configuration pConfig in SslContext::configStapling().
 
Last edited:
Top