[gnutls-devel] Looking for OCSP Stapling client example

Tim Ruehsen tim.ruehsen at gmx.de
Wed Nov 12 12:38:25 CET 2014

Hi Nikos,

thanks for your answer.

On Friday 07 November 2014 19:17:16 Nikos Mavrogiannopoulos wrote:
> On Fri, 2014-11-07 at 14:15 +0100, Tim Ruehsen wrote:
> > Hi,
> > 
> > could you point to GnuTLS client code that uses OCSP Stapling and/or some
> > docs that explains how to implement this for a client ?
> You mean verification of the servers certificate using OCSP? That is
> already discussed in the manual, maybe not in a clear way.
> There are two options for a client (and you can combined them):
> 1. Rely on the server's status request which attaches an OCSP response
> during handshake. This is check automatically by gnutls if available
> and you can query whether it was checked using
> gnutls_ocsp_status_request_is_checked(). Limitation: it only checks the
> server's end certificate (so if there are intermediate CAs which are
> revoked you may never know).
> http://www.gnutls.org/manual/html_node/OCSP-status-request.html#OCSP-status-> request
> 2. Query the OCSP servers of the certificates that you received
> manually. This pretty much involves making HTTP queries, and is
> discussed at:
> http://www.gnutls.org/manual/html_node/OCSP-certificate-status-checking.html
> #OCSP-certificate-status-checking and an example using libcurl is at:
> http://www.gnutls.org/manual/html_node/OCSP-example.html#OCSP-example

Right now I am interested in 1. (OCSP Stapling).

It took a while for me to find a server that is appropriately configured.
Testing with OpenSSL
$ openssl s_client -connect movlib.org:443 -tls1 -tlsextdebug -status
OCSP response: 
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = IL, O = StartCom Ltd. (Start Commercial Limited), CN = 
StartCom Class 1 Server OCSP Signer
    Produced At: Nov 11 19:31:12 2014 GMT

In my verify callback routine (after gnutls_certificate_verify_peers3()),
gnutls_ocsp_status_request_is_checked() always returns 0.

Even when explicitly calling gnutls_ocsp_status_request_enable_client() before 

Do you have any idea, what is going wrong or how to find out ?

gnutls-cli --ocsp seems only to work 2. (Querying OCSP Server) !?

$ gnutls-cli --version
gnutls-cli 3.3.8

> The above example sets a nonce in the message to ensure that the reply
> received from the OCSP server is fresh. That unfortunately as far as I
> remember is supported by almost no servers, so you may want to skip it
> (or test it and see how it is now). You can also check gnutls-cli how it
> checks against the ocsp servers. Suggestions or patches to improve the
> documentation are welcome.

The docs of gnutls_ocsp_status_request_is_checked() say that this function 
only works after gnutls_certificate_verify_peers3(). What about 
gnutls_certificate_verify_peers2() ?

What you wrote above (1. and 2.) should go (a bit polished) in here:
> http://www.gnutls.org/manual/html_node/OCSP-status-request.html#OCSP-status-> request

Regards, Tim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20141112/2be8cb2c/attachment.sig>

More information about the Gnutls-devel mailing list