openssl: check for Must-Staple extension on server cert (!197) · Merge requests · GNOME / glib-networking

Michael Catanzaro requested to merge mcatanzaro/openssl-ocsp into master Dec 15, 2021

Previously we decided not to do this because it cannot be done properly, which would require us to check each certificate in the chain for the Must-Staple extension. The problem is we don't know which certificates actually get used in the final verification path constructed by OpenSSL, and don't want to consider certificates that are not used because that leads to mistakes like #179 (closed).

But we can check Must-Staple on just the server cert. So let's do that. Then we can get some actual real security benefit, which is otherwise not possible because we have to ignore missing OCSP responses if Must-Staple is not used.

Now, this isn't good enough -- we really ought to check for Must-Staple on intermediate certificates too -- but it seems to be the best that is possible with OpenSSL nowadays.

Credit to Patrick Griffis for originally writing much of this code. I've stolen a lot of this from his previous work that was not accepted at the time.

Edited Dec 15, 2021 by Michael Catanzaro

openssl: check for Must-Staple extension on server cert

Merge request reports