[openssl-users] Question on necessity of SSL_CTX_set_client_CA_list
jb-openssl at wisemo.com
Thu Dec 6 09:03:21 UTC 2018
On 05/12/2018 17:59, Viktor Dukhovni wrote:
>> On Dec 5, 2018, at 4:49 AM, Jan Just Keijser <janjust at nikhef.nl> wrote:
>> The only reason to use OCSP I currently have is in Firefox: if you turn off
>> "Query OCSP responder servers" in Firefox then EV certificates will no longer
>> show up with their owner/domain name.
> IIRC Apple's Safari is ending support for EV, and some say that EV
> has failed, and are not sorry to see it go.
This is very bad for security. So far the only real failures have
1. Some cloud provider(s) actively want to reduce all TLS security to
the anonymous form provided by Let's encrypt, and are doing their worst
to sabotage EV providing CAs.
2. As part of this campaign, those same cloud provider(s) take every
opportunity to declare EV (and even OV) certificates as worthless
3. At least one of those cloud provider(s) publishes a widely used
"browser", in which they have preemptively removed support.
Apple being tricked into removing support (contrary to their public hard
stance on user security) is sad.
>> Now the question is: does Firefox get OCSP "right" ;) ?
> Very likely yes. The Firefox TLS stack is maintained by experts.
> [ Also, FWIW, Firefox uses the "nss" library, not OpenSSL. ]
However Firefox code also contains lots of idiotic usability bugs,
even in the code that talks to the TLS stack. It is quite possible
that the "OCSP must be on" rule is another bad usability hangover
from the set of badly thought out UI changes made to initially
promote EV certificates, just like the hiding of company names
from non-EV certificates that actually contain them (so called OV
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users