Page MenuHomePhabricator

Extend check_sslxnn to check OCSP Stapling
Closed, ResolvedPublic

Description

Modern Net::SSLeay docs indicate this should be possible. Basically we need to set the extension to request the staple, and then check afterwards that it's a valid staple, with some configurable timing constraints on the NotBefore/NotAfter window, as well as validity of the stapling cert, etc. Given expected refresh behaviors, we probably want to be able to WARN if NotBefore gets old (e.g. >75m), and then CRIT if NotAfter is less than X hours from expiry.

Details

Related Gerrit Patches:
operations/puppet : productioncheck_ssl: support OCSP Stapling
operations/puppet : productioncheck_sslxNN: require OCSP stapling

Event Timeline

BBlack created this task.Oct 18 2016, 2:43 AM
ema moved this task from Triage to TLS on the Traffic board.Oct 18 2016, 6:46 AM
BBlack removed BBlack as the assignee of this task.Oct 19 2016, 9:10 PM

Change 318931 had a related patch set uploaded (by BBlack):
check_ssl: support OCSP Stapling and related

https://gerrit.wikimedia.org/r/318931

Change 318932 had a related patch set uploaded (by BBlack):
check_sslxNN: require OCSP stapling

https://gerrit.wikimedia.org/r/318932

Change 318932 abandoned by BBlack:
check_sslxNN: require OCSP stapling

https://gerrit.wikimedia.org/r/318932

Change 318931 merged by BBlack:
check_ssl: support OCSP Stapling

https://gerrit.wikimedia.org/r/318931

BBlack closed this task as Resolved.Oct 31 2016, 8:22 PM
BBlack claimed this task.

Fixed now in check_ssl itself.