OpenSSL OCSP stapling Vulnerability - (CVE-2010-0014)

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL OCSP stapling Vulnerability - (CVE-2010-0014)

Frantz, Stacey M CIV NIOC PCOLA

How can I tell if openssl on my server is acting as a server and calling SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX?
This includes Apache httpd >= 2.3.3, if configured with "SSLUseStapling On".

smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL OCSP stapling Vulnerability - (CVE-2010-0014)

Dr. Stephen Henson
On Thu, Feb 17, 2011, Frantz, Stacey M CIV NIOC PCOLA wrote:

>
> How can I tell if openssl on my server is acting as a server and calling
> SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX?  This includes Apache
> httpd >= 2.3.3, if configured with "SSLUseStapling On".

Well it's pretty clear from that: if you are using Apache less that 2.3.3 or
you don't have an explicit directive SSLUseStapling On in your configuration
you aren't using stapling.

You can probe using the openssl command:

openssl s_client -connect hostname:443 -status -tls1

If you get this:

OCSP response: no response sent

then you don't support it.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]