http://www.perlmonks.org?node_id=1215939

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hello

This question is regarding IO::Socket::SSL/Net:SSLeay and LWP::UserAgent.
To check certificate revocation status with OCSP, one needs to explicitly call the ocsp_resolver of the socket, e.g. resolve_blocking().
That's the strategy I use in Net::LDAP.

But in LWP::UserAgent, the connection is a "private", cached member of the object.

My question is - Can I obtain a socket reference from within a verify callback? E.g. the 2nd arg of the callback?
If yes, then -
o Can I conduct blocking OCSP at that point?
If not, then -
o How to invoke "ocsp_resolver"?
I need this in order to check the certificate status of non-stapling Web servers, or of an upper-chain certificate (normally not stapled)

I truly hope my question is clear

And thank you for being one of the purest form of Human Genius and Generosity :-)

rama

Replies are listed 'Best First'.
Re: OCSP for LWP::UserAgent
by haj (Chaplain) on Jun 05, 2018 at 19:40 UTC
    This isn't exactly what you asked for, but maybe an alternative approach: You should be able to use LWP::UserAgent with servers without OCSP stapling by passing the corresponding option like this:
    $ua->ssl_opts( SSL_ocsp_mode => SSL_OCSP_NO_STAPLE );
    (Combined from the documentation for IO::Socket::SSL and LWP::UserAgent)
      Thanks!
      This is definitely not what I asked for :-)

      I want to do OCSP.
      But if the HTTPS server doesn't staple a status response - then my only opportunity is during verify callback.
      Even if it did - it would only be for the leaf certificate, and I am after good status throughout the chain.
      However - I don't know how to recall the OCSP resolver of the underlying IO::Socket::SSL instance from within the callback.
      That's my question

      I did try to connect/disconnect the IP and port from the URL, and do the OCSP there, and only proceed to the actual request if this "tls-ocsp-ping" was successful.
      However, this approach can have a performance impact, as the LWP::UserAgent with keepalive will not re-do a TLS handshake for every request (to same server).

      rama
Re: OCSP for LWP::UserAgent
by haukex (Chancellor) on Jun 06, 2018 at 13:47 UTC