[gnutls-devel] Looking for OCSP Stapling client example
Nikos Mavrogiannopoulos
nmav at gnutls.org
Fri Nov 7 19:17:16 CET 2014
On Fri, 2014-11-07 at 14:15 +0100, Tim Ruehsen wrote:
> Hi,
>
> could you point to GnuTLS client code that uses OCSP Stapling and/or some docs
> that explains how to implement this for a client ?
You mean verification of the servers certificate using OCSP? That is
already discussed in the manual, maybe not in a clear way.
There are two options for a client (and you can combined them):
1. Rely on the server's status request which attaches an OCSP response
during handshake. This is check automatically by gnutls if available
and you can query whether it was checked using
gnutls_ocsp_status_request_is_checked(). Limitation: it only checks the
server's end certificate (so if there are intermediate CAs which are
revoked you may never know).
http://www.gnutls.org/manual/html_node/OCSP-status-request.html#OCSP-status-request
2. Query the OCSP servers of the certificates that you received
manually. This pretty much involves making HTTP queries, and is
discussed at:
http://www.gnutls.org/manual/html_node/OCSP-certificate-status-checking.html#OCSP-certificate-status-checking
and an example using libcurl is at:
http://www.gnutls.org/manual/html_node/OCSP-example.html#OCSP-example
The above example sets a nonce in the message to ensure that the reply
received from the OCSP server is fresh. That unfortunately as far as I
remember is supported by almost no servers, so you may want to skip it
(or test it and see how it is now). You can also check gnutls-cli how it
checks against the ocsp servers. Suggestions or patches to improve the
documentation are welcome.
regards,
Nikos
More information about the Gnutls-devel
mailing list