Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked
 
PerlMonks  

OCSP for LWP::UserAgent

by Anonymous Monk
on Jun 05, 2018 at 13:06 UTC ( #1215939=perlquestion: print w/replies, xml ) Need Help??

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hello

This question is regarding IO::Socket::SSL/Net:SSLeay and LWP::UserAgent.
To check certificate revocation status with OCSP, one needs to explicitly call the ocsp_resolver of the socket, e.g. resolve_blocking().
That's the strategy I use in Net::LDAP.

But in LWP::UserAgent, the connection is a "private", cached member of the object.

My question is - Can I obtain a socket reference from within a verify callback? E.g. the 2nd arg of the callback?
If yes, then -
o Can I conduct blocking OCSP at that point?
If not, then -
o How to invoke "ocsp_resolver"?
I need this in order to check the certificate status of non-stapling Web servers, or of an upper-chain certificate (normally not stapled)

I truly hope my question is clear

And thank you for being one of the purest form of Human Genius and Generosity :-)

rama

Replies are listed 'Best First'.
Re: OCSP for LWP::UserAgent
by haj (Chaplain) on Jun 05, 2018 at 19:40 UTC
    This isn't exactly what you asked for, but maybe an alternative approach: You should be able to use LWP::UserAgent with servers without OCSP stapling by passing the corresponding option like this:
    $ua->ssl_opts( SSL_ocsp_mode => SSL_OCSP_NO_STAPLE );
    (Combined from the documentation for IO::Socket::SSL and LWP::UserAgent)
      Thanks!
      This is definitely not what I asked for :-)

      I want to do OCSP.
      But if the HTTPS server doesn't staple a status response - then my only opportunity is during verify callback.
      Even if it did - it would only be for the leaf certificate, and I am after good status throughout the chain.
      However - I don't know how to recall the OCSP resolver of the underlying IO::Socket::SSL instance from within the callback.
      That's my question

      I did try to connect/disconnect the IP and port from the URL, and do the OCSP there, and only proceed to the actual request if this "tls-ocsp-ping" was successful.
      However, this approach can have a performance impact, as the LWP::UserAgent with keepalive will not re-do a TLS handshake for every request (to same server).

      rama
Re: OCSP for LWP::UserAgent
by haukex (Chancellor) on Jun 06, 2018 at 13:47 UTC

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://1215939]
Approved by Discipulus
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others wandering the Monastery: (5)
As of 2019-10-23 08:41 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Notices?