Re: Question on necessity of SSL_CTX_set_client_CA_list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 05/12/2018 17:59, Viktor Dukhovni wrote:
On Dec 5, 2018, at 4:49 AM, Jan Just Keijser <janjust@xxxxxxxxx> wrote:

The only reason to use OCSP I currently have is in Firefox:  if you turn off
"Query OCSP responder servers" in Firefox then EV certificates will no longer
show up with their owner/domain name.
IIRC Apple's Safari is ending support for EV, and some say that EV
has failed, and are not sorry to see it go.
This is very bad for security.  So far the only real failures have
been:

1. Some cloud provider(s) actively want to reduce all TLS security to
  the anonymous form provided by Let's encrypt, and are doing their worst
  to sabotage EV providing CAs.

2. As part of this campaign, those same cloud provider(s) take every
  opportunity to declare EV (and even OV) certificates as worthless
  and irrelevant.

3. At least one of those cloud provider(s) publishes a widely used
  "browser", in which they have preemptively removed support.

Apple being tricked into removing support (contrary to their public hard
stance on user security) is sad.

Now the question is:   does Firefox get OCSP "right" ;) ?
Very likely yes.  The Firefox TLS stack is maintained by experts.
[ Also, FWIW, Firefox uses the "nss" library, not OpenSSL. ]

However Firefox code also contains lots of idiotic usability bugs,
even in the code that talks to the TLS stack.  It is quite possible
that the "OCSP must be on" rule is another bad usability hangover
from the set of badly thought out UI changes made to initially
promote EV certificates, just like the hiding of company names
from non-EV certificates that actually contain them (so called OV
certificates).


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux