6

The discussion at Why isn't OCSP required by default in browsers? notes that many browsers by default simply ignore failure to check web site TLS certificate revocation status via the Online Certificate Status Protocol (OCSP).

Is there a simple way (e.g. a tool) for users who care about it, or are just curious, to monitor OCSP requests and detect or log when connections fail? E.g. a browser extension would be handy.

I'm curious about all the popular platforms and browsers.

Update: Poking around a bit more found this explanation of the basic OCSP flow and how to do it step-by-step with openssl: OCSP verification with OpenSSL.

-----BEGIN WHINE-----
back in the good old days before HTTP became a crufty swiss army knife, I'd just have to capture all packets for the "OCSP port". But no - OCSP is layered on top of HTTP, so I need more than a simple pcap-based tool: I need to figure out which HTTP URLs out there are OCSP-related, and parse the more wordy conversations....
-----END WHINE-----

nealmcb
  • 20,693
  • 6
  • 71
  • 117

2 Answers2

3

Most of my experience lately has been with the Tumbleweed Desktop Validator (now Axway?)- it'll plug into browsers as well as work standalone with a bunch of configuration options. It checks OCSP and pops up a warning when something bad has happened. I think you can configure it to deny access as well.

It's not the only product, just the one I've worked with most recently and most heavily. Many of the OCSP server makers have a client side offering, since it's just the other half of the equation. I'm afraid I don't know of any free ones.

bethlakshmi
  • 11,656
  • 1
  • 28
  • 59
2

Something I came up with just now: It needs some fine-tuning, but this can work for quick testing (warning, the output is not very pretty!)

sudo tshark -i eth1 -f "tcp port http" -R "ocsp.responses || ocsp.Request" -V -T text 

What this does is that it watches eth1 (my internet interface) for http packets, gets them, filters those that have content-type ocsp-response or ocsp-request and prints the decoded packet, so one can see what is going on.

It needs fine-tuning because it displays info about the ip and tcp header fields, and it details all ocsp response fields in as much detail as possible.

The same filters can be applied to wireshark for prettier output.

john
  • 10,998
  • 1
  • 36
  • 43