Skip to content

Comments

add support for TLS 1.3 OCSP multi-stapling for server certs#20945

Closed
mikrue wants to merge 5 commits intoopenssl:masterfrom
mikrue:master
Closed

add support for TLS 1.3 OCSP multi-stapling for server certs#20945
mikrue wants to merge 5 commits intoopenssl:masterfrom
mikrue:master

Conversation

@mikrue
Copy link

@mikrue mikrue commented May 11, 2023

OCSP multistapling for TLSv1.3:

changed resp variable in the the ssl_struct from one DER encoded OCSP response to a stack of responses
server side: added function in s_server code for retrieving the OCSP responses from all certificates in the server cert chain
server side: added function in statem_srvr code to retrieve and return the response for the requested certificate
client side: added verify function for multiple OCSP responses

Checklist
  • documentation is added or updated
  • tests are added or updated

@openssl-machine openssl-machine added the hold: cla required The contributor needs to submit a license agreement label May 11, 2023
t8m
t8m reviewed May 12, 2023
View reviewed changes
@t8m
Copy link
Member

t8m commented May 12, 2023

We will need a CLA to be able to accept this PR. https://www.openssl.org/policies/cla.html

@mikrue
Copy link
Author

mikrue commented May 12, 2023 via email

@t8m
Copy link
Member

t8m commented May 12, 2023

Ah, Michal Krueger has CLA in our system, but Martin Rauch does not.

@martinRa2
Copy link
Contributor

martinRa2 commented May 12, 2023
edited by DDvO
Loading

Just sent the CLA via email :-)

FdaSilvaYY
FdaSilvaYY reviewed May 13, 2023
View reviewed changes
Copy link
Contributor

@FdaSilvaYY FdaSilvaYY left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same blocking issue as in your previous #19183 contribution :
you must not modify existing methods

A bunch of style issue who are less important considering the 1st one.

@DDvO
Copy link
Contributor

DDvO commented May 23, 2023

@martinRa2 wrote 11 days ago:

Just sent the CLA via email :-)

For some reason, the CLI hold is still present.

@github-actions github-actions bot added the severity: fips change The pull request changes FIPS provider sources label May 23, 2023
@t8m t8m closed this May 23, 2023
@t8m t8m reopened this May 23, 2023
@t8m
Copy link
Member

t8m commented May 23, 2023

@martinRa2 @DDvO we do not have CCLA confirmation for Martin Rauch yet.

@github-actions github-actions bot removed the severity: fips change The pull request changes FIPS provider sources label May 23, 2023
@martinRa3
Copy link
Contributor

martinRa3 commented May 23, 2023

Could you please reopen the pulll request. I have to clarify something and will provide my CCLA as soon as possible.

@t8m
Copy link
Member

t8m commented May 23, 2023

Could you please reopen the pulll request. I have to clarify something and will provide my CCLA as soon as possible.

It is not closed.

@DDvO DDvO changed the title added support for OCSP multi stapling add support for OCSP multi-stapling for server certs May 26, 2023
@DDvO DDvO added this to the 3.2.0 milestone May 27, 2023
@DDvO DDvO changed the title add support for OCSP multi-stapling for server certs add support for TLS 1.3 OCSP multi-stapling for server certs May 27, 2023
DDvO
DDvO requested changes May 28, 2023
View reviewed changes
Copy link
Contributor

@DDvO DDvO left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work.
Yet there are still many (mostly minor) points to be improved.
There are two major ones:

  • the existing API must be retained for backward compatibility
  • the new features (more than one stapled OCSP response, and cert verify using stapled OCSP responses) must be tested with new test cases.

@DDvO DDvO added branch: master Applies to master branch triaged: feature The issue/pr requests/adds a feature hold: needs tests The PR needs tests to be added to it labels May 28, 2023
DDvO
DDvO reviewed May 28, 2023
View reviewed changes
@github-actions github-actions bot added the severity: fips change The pull request changes FIPS provider sources label Jun 23, 2023
@mikrue
Copy link
Author

mikrue commented Jun 30, 2023

closing pull request and re-open it to get rid of the "CLA missing" tags...

@mikrue mikrue closed this Jun 30, 2023
@mikrue
Copy link
Author

mikrue commented Jun 30, 2023

re-opening...

@mikrue mikrue reopened this Jun 30, 2023
@DDvO
Copy link
Contributor

DDvO commented Jul 21, 2025

@martinRa2 there are a few very minor CI issues (coding style and a type conversion disliked by Windows compiler).

@martinRa2
Copy link
Contributor

martinRa2 commented Jul 22, 2025

Hello @DDvO,
thanks for the hint. I fixed the conversion issue, but the code style looks good for me.
@t8m can you please review my changes as well. My target is still to bring the PR into the next release.

@DDvO
Copy link
Contributor

DDvO commented Jul 22, 2025

the code style looks good for me.

Well, the #if indentation would be fine from the local perspective,
but unfortunately it is not from the overall file perspective,
because all the lines 42 to 60 in apps/s_server.c should be indented by one more space.
Please do so, fixing the pre-existing mistakes also for the lines that you otherwise would not need to touch there,
because otherwise the tool will keep complaining

  apps/s_server.c:57:'#if' nesting indent = 1 != 2:# include <openssl/ebcdic.h>
  apps/s_server.c:58:'#if' nesting indent = 0 != 1:#endif
  apps/s_server.c:60:'#if' nesting indent = 0 != 1:#include "internal/statem.h"

@t8m t8m added the style: waived exempted from style checks label Jul 24, 2025
@martinRa3
Copy link
Contributor

martinRa3 commented Jul 24, 2025

Hello @t8m , hello @DDvO,

thanks for approving the PR. What about the style validations? Should I still fix them or are they accepted?

DDvO
DDvO approved these changes Jul 24, 2025
View reviewed changes
Copy link
Contributor

@DDvO DDvO left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reconfirming after the changes recently requested by @t8m.
The remaining minor coding style validations have been waived.
The other CI failure is unrelated.

@DDvO DDvO added approval: done This pull request has the required number of approvals and removed approval: review pending This pull request needs review by a committer labels Jul 24, 2025
@openssl-machine openssl-machine removed the approval: done This pull request has the required number of approvals label Jul 25, 2025
@openssl-machine
Copy link
Collaborator

openssl-machine commented Jul 25, 2025

This pull request is ready to merge

@openssl-machine openssl-machine added the approval: ready to merge The 24 hour grace period has passed, ready to merge label Jul 25, 2025
@t8m
Copy link
Member

t8m commented Jul 25, 2025

Merged to the master branch. Thank you for your contribution.

@t8m t8m closed this Jul 25, 2025
@github-project-automation github-project-automation bot moved this from In progress to Done in Project Board Jul 25, 2025
openssl-machine pushed a commit that referenced this pull request Jul 25, 2025
@martinRa2 @t8m
Add support for TLS 1.3 OCSP multi-stapling for server certs
b1b4b15 
Co-authored-by: Michael Krueger

Reviewed-by: David von Oheimb <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from #20945)
@vdukhovni vdukhovni reopened this Jul 26, 2025
vdukhovni
vdukhovni requested changes Jul 26, 2025
View reviewed changes
@github-project-automation github-project-automation bot moved this from Done to In progress in Project Board Jul 26, 2025
vdukhovni
vdukhovni reviewed Jul 26, 2025
View reviewed changes
@t8m t8m closed this Jul 28, 2025
@github-project-automation github-project-automation bot moved this from In progress to Done in Project Board Jul 28, 2025
@mattcaswell mattcaswell mentioned this pull request Oct 15, 2025
Closed
@davidben davidben mentioned this pull request Oct 23, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vdukhovni vdukhovni vdukhovni requested changes

@DDvO DDvO DDvO approved these changes

@t8m t8m t8m approved these changes

@mattcaswell mattcaswell mattcaswell requested changes

+5 more reviewers

@FdaSilvaYY FdaSilvaYY FdaSilvaYY left review comments

@filipdimitrovcom filipdimitrovcom filipdimitrovcom left review comments

@martinRa2 martinRa2 martinRa2 approved these changes

@martinRa3 martinRa3 martinRa3 left review comments

@andrewkdinh andrewkdinh andrewkdinh requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

approval: ready to merge The 24 hour grace period has passed, ready to merge branch: master Applies to master branch severity: ABI change This pull request contains ABI changes severity: fips change The pull request changes FIPS provider sources style: waived exempted from style checks tests: present The PR has suitable tests present triaged: feature The issue/pr requests/adds a feature

Projects

Project Board
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.