Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls: Fix OCSP stapling bug when certificate names overlap other certs #1821

Merged
merged 1 commit into from
Aug 23, 2017
Merged

tls: Fix OCSP stapling bug when certificate names overlap other certs #1821

merged 1 commit into from
Aug 23, 2017

Conversation

mholt
Copy link
Member

@mholt mholt commented Aug 12, 2017

https://caddy.community/t/random-ocsp-response-errors-for-random-clients/2473?u=matt

Certificates are keyed by name in the cache, optimized for fast lookups
during TLS handshakes using SNI. A more "correct" way that is truly a
1:1 would be to cache certificates by a hash of the leaf's DER bytes,
but this involves an extra index to maintain. So instead of that, we
simply choose to prevent overlap when keying certificates by server
name. This avoids the ambiguity when updating OCSP staples, for instance.

(The fillCertFromLeaf changes are just cleanup, not actually related to the bug.)

@mholt
tls: Fix OCSP stapling bug when certificate names overlap other certs
b699a17 
https://caddy.community/t/random-ocsp-response-errors-for-random-clients/2473?u=matt

Certificates are keyed by name in the cache, optimized for fast lookups
during TLS handshakes using SNI. A more "correct" way that is truly a
1:1 would be to cache certificates by a hash of the leaf's DER bytes,
but this involves an extra index to maintain. So instead of that, we
simply choose to prevent overlap when keying certificates by server
name. This avoids the ambiguity when updating OCSP staples, for instance.
@mholt mholt added this to the 0.10.7 milestone Aug 12, 2017
@elcore elcore mentioned this pull request Aug 14, 2017
Closed
slightfoot
slightfoot approved these changes Aug 23, 2017
View reviewed changes
Copy link

@slightfoot slightfoot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see anything wrong with the diff. I wonder though about overlap in regards to wildcard certificates. Also, about the use of certCacheMu without defer. In the odd situation where we attempt to recover but then the lock is still held.

@mholt
Copy link
Member Author

mholt commented Aug 23, 2017

@slightfoot Thanks for the review!

I wonder though about overlap in regards to wildcard certificates.

I don't think this will be a problem; only one certificate per name is mapped in the cache. Per my testing the wildcards were OK. Certificates are chosen based on most specific to least specific match, so wildcards will only be used if there's not another more specific matching certificate.

Also, about the use of certCacheMu without defer. In the odd situation where we attempt to recover but then the lock is still held.

Good thing to notice, for sure. Defer doesn't run until the end of the function, I'd have to refactor to make that happen. But the loop is correct; that code shouldn't panic (famous last words, I know) and it doesn't return. Good opportunity for cleanup in the future perhaps.

With that, merging this change now!

@mholt mholt merged commit e49474a into master Aug 23, 2017
@mholt mholt deleted the ocspfix branch September 28, 2017 12:01
@mholt mholt mentioned this pull request Jan 7, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@slightfoot slightfoot slightfoot approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.10.7
Development

Successfully merging this pull request may close these issues.
2 participants
@mholt @slightfoot