OCSP and CRL: what could go wrong?
Cossack Labs
Posted on January 18, 2022
Read this post to learn everything to know about TLS certificate revocation protocols: OCSP and CRL.
How to use OCSP and CRL for validating TLS certificates in Go apps? Even though Golang has native support for TLS, it has extremely limited support for OCSP and CRL. So, what should you do then?
OCSP (Online Certificate Status Protocol), RFC6960 and CRL (Certificate Revocation List), RFC5280 provide a way to verify whether the TLS certificate was revoked by a Certificate Authority before the app establishes secure communication with a service that uses this certificate.
What could go wrong in using OCSP and CRL?
Here's just a quick list:
🔴 Establishing session before validating the TLS certificate (don't be tempted to "optimise" things if OCSP and CRL cause visible delays in the application work).
🔴 Unreachable CRL / OCSP responders (this could destabilise the whole solution, as applications can be stuck in limbo, not communicating with other services while validating the certificates).
🔴 Accepting "Unknown" status as valid (if the application treats OCSP "Unknown" status as "the certificate is still valid", it might continue talking to the already malicious service, treating it as a valid).
🔴 Certificate revocation checks are too rare (balance performance and security, mind a threat model and security requirements).
🔴 Lack of signature validation (it's essential to verify the CRL response signature to prevent potential attackers from tampering with the list).
🔴 CRL cache poisoning (if CRL is cached in a local file without any integrity checks, the application won't recognise that the file was changed).
🔴 Delta CRLs (if implemented poorly, issues with network connectivity might result in the application not receiving some delta CRLs and continuing to trust the revoked certificates).
Who needs OCSP and CRL?
We stumbled upon intricacies in OCSP and CRL when building Acra database security suite, an application that sits between the app and the database and encrypts/decrypts sensitive data. The support of OCSP and CRL is crucial for Acra to prevent unauthorised connections from malicious or misconfigured apps to sensitive data.
To meet our security model, we had to implement OCSP/CRL verification in Golang ourselves.
See OCSP and CRL implementation examples
💡 As it was not easy but interesting task, we put our findings into a new engineering blog post: TLS validation: implement OCSP and CRL verifiers in Go. Follow the link to learn more about OCSP/CRL design, implementation and security tips, example code and popular mistakes.
If you're a Golang engineer that works closely with TLS, our blog post will give you lots of moments to think about.
To illustrate everything we’ve posted above, we created minimalistic OCSP and CRL implementations in Go.
Check out the 4. Live examples chapter with all the scripts to generate TLS certificates, OCSP responder based on OpenSSL, and Golang server-side and client-side apps. Feel free to review and run examples to see how the verification works with valid and revoked certificates.
Posted on January 18, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.