Hi,
I am trying to use the Network Framework API for a client application that needs to use TLS. The TLS server supports OCSP stapling. From the documentation meant for Network Framework it is not clear whether there is support for checking stapled responses. Appreciate any pointers to proper documentation.
P.S: My client application would frequently open new TLS connections and support for stapling would help in faster handshake (avoiding communication with OCSP responder).
--
Thanks,
Radha
There is the sec_protocol_options_set_tls_ocsp_enabled API available during TLS to enable checking the certificate status. This can be set on the NWProtocolTLS.Options with something like:
let tlsOptions = NWProtocolTLS.Options()
sec_protocol_options_set_tls_ocsp_enabled(tlsOptions.securityProtocolOptions, true)There is also an API to enable checking SCT values: sec_protocol_options_set_tls_sct_enabled.
Matt Eaton
DTS Engineering, CoreOS
meaton3 at apple.com
Thanks for the quick response ! Still slightly confused about the exact support.
1) OCSP - https://tools.ietf.org/html/rfc6960
2) OCSP Cert Status Extension - https://tools.ietf.org/html/rfc6066#page-14
3) OCSP Stapling Multiple Cert Status- https://tools.ietf.org/html/rfc6961
4) OCSP Must Staple - https://tools.ietf.org/html/rfc7633
5) SCT(Signed Certificate Timestamp) - https://tools.ietf.org/html/rfc6962#page-13
Can you please confirm which of the above features would be covered by setting the option "sec_protocol_options_set_tls_ocsp_enabled" ?
We own the TLS server end and we are actually looking for OCSP Must Staple support. (The TLS handshake should fail if the stapling info is absent in the server certificate.)
Thanks in advance !
--
Regards,
Radha
No problem. Performing OCSP or obtaining SCT values are two ways really to obtain trusted data that a certificate is valid and from a reliable source. So, when thinking about how certificates are validated, performing OCSP or obtaining SCT values are just two ways this can be done. There is also the on-device trust store to consider in this process. All of this going back to the point that the APIs for sec_protocol_options_set_tls_ocsp_enabled and sec_protocol_options_set_tls_sct_enabled allow you to flag these options as ways for TLS to validate that the certificate from the peer is trusted. The truly best way to identify where this is making an impact is through testing different hosts. Try using badssl dot com to test different conditions.
Also, one thing to note about about SCT data is that it can come from a variety of sources. For example, embedded in the certificate or through TLS vended by the server. To get a full understanding of where the SCT and OCSP data is coming from, I recommend take a packet trace when your connection is going up. OCSP will often be visible to you as a GET request in the trace, but you may need to hunt for the SCT values during the handshake packet exchange.
Matt Eaton
DTS Engineering, CoreOS
meaton3 at apple.com