Opened 5 years ago

Closed 4 years ago

Last modified 4 years ago

#13067 closed defect (fixed)

[jessie] Enable OCSP Stapling for TorProject.org

Reported by: tom Owned by:
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

It would be very good if TorProject.org and related websites (blog, trac) enabled OCSP stapling. This would not require someone to 'choose' (I say choose cause it's an option you set, not something you choose on each visit) between checking for up-to-date revocation information and violating their privacy by leaking the visit for TP to a random third party.

Child Tickets

Change History (9)

comment:1 Changed 5 years ago by Sebastian

Component: WebsiteTor Sysadmin Team

This would be a sysadmin thing.

comment:2 Changed 5 years ago by weasel

Summary: Enable OCSP Stapling for TorProject.org[jessie] Enable OCSP Stapling for TorProject.org

AIUI, from a quick glance, this requires at least apache httpd 2.3.

comment:3 Changed 5 years ago by tom

That is accurate.

When upgrading to Apache 2.4 I have found that some modules I used did not support 2.4, but most did. I'm assuming you're not using mod_mono ;) but I'd be curious if the blocker is lack of time to test and deploy an upgrade, lack of desire to use 2.4 for some reason (and why), or if software in use does not support it, in which case I can go try and figure out that problem =)

comment:4 Changed 5 years ago by weasel

It means we probably will have to upgrade to jessie first. Once that is done, we can re-visit the issue.

comment:5 Changed 4 years ago by weasel

Resolution: fixed
Status: newclosed

on jessie hosts, we do that now.

comment:6 Changed 4 years ago by someone_else

Resolution: fixed
Status: closedreopened

OCSP stapling is not working on www.torproject.org, trac.torproject.org, blog.torproject.org.

openssl s_client -connect www.torproject.org:443 -tls1_2 -tlsextdebug -status
CONNECTED(00000007)
TLS server extension "renegotiation info" (id=65281), len=1
0001 - <SPACES/NULS>
TLS server extension "EC point formats" (id=11), len=4
0000 - 03 00 01 02 ....
TLS server extension "session ticket" (id=35), len=0
TLS server extension "heartbeat" (id=15), len=1
0000 - 01 .
OCSP response: no response sent
[...]

(TBB is sending OCSP requests for *.torproject.org to ocsp.digicert.com.)

comment:7 Changed 4 years ago by weasel

Resolution: fixed
Status: reopenedclosed

I said we do that on jessie hosts. Not all our hosts do jessie yet.

comment:8 in reply to:  7 Changed 4 years ago by someone_else

Replying to weasel:

I said we do that on jessie hosts. Not all our hosts do jessie yet.

From what I can tell there are exactly 0 publically accessible jessie hosts.

All of these don't do OCSP stapling:
archive.torproject.org
blog.torproject.org
bwauth.torproject.org
compass.torproject.org
consensus-health.torproject.org
db.torproject.org
git.torproject.org
gitweb.torproject.org
jenkins.torproject.org
lists.torproject.org
media.torproject.org
metrics.torproject.org
munin.torproject.org
nagios.torproject.org
people.torproject.org
rt.torproject.org
svn.torproject.org
trac.torproject.org
translation.torproject.org
weather.torproject.org
www.torproject.org

alberti.torproject.org
archeotrichon.torproject.org
aroides.torproject.org
eugeni.torproject.org
gayi.torproject.org
listera.torproject.org
majus.torproject.org
materculae.torproject.org
meronense.torproject.org
mongolicum.torproject.org
moschatum.torproject.org
motor.torproject.org
nova.torproject.org
omeiense.torproject.org
perdulce.torproject.org
polyanthum.torproject.org
rouyi.torproject.org
rude.torproject.org
schmitzi.torproject.org
stellatum.torproject.org
tanguticum.torproject.org
troodi.torproject.org
vineale.torproject.org
yatei.torproject.org

All other machines listed on https://db.torproject.org/machines.cgi are not accessible.

comment:9 Changed 4 years ago by weasel

Severity: Normal

apache falls over in various mutex failures when ocsp stapling is enabled. Thus not using it after all.

Note: See TracTickets for help on using tickets.