-
Task
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
False
-
False
-
Undefined
-
Sprint 60, Sprint 61, Sprint 62
In Maistra Envoy we rely on OpenSSL to select a server-side certificate chain to use when multiple chains are configured in an SSL_CTX. OpenSSL selection process doesn't take into account presence and status of an OCSP response however.
This can lead to a situation when a client requests an OCSP response, but a certificate chain with a missing/expired OCSP response is selected, leading to an SSL handshake failure (see TestFilterMultipleCertsFilterByOcspPolicyFallbackOnFirst in test/extensions/transport_sockets/tls/ssl_socket_test.cc).
A possible approach is to use a cert_cb (see https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cert_cb.html) and check OCSP response validity then. Using this callback raises a question of cert chain compatibility with the client-side cert and how to handle it (incompatible ECs for example).