[gnutls-devel] Looking for OCSP Stapling client example

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Nov 13 10:21:07 CET 2014


On Wed, Nov 12, 2014 at 12:38 PM, Tim Ruehsen <tim.ruehsen at gmx.de> wrote:
>> 2. Query the OCSP servers of the certificates that you received
>> manually. This pretty much involves making HTTP queries, and is
>> discussed at:
>> http://www.gnutls.org/manual/html_node/OCSP-certificate-status-checking.html
>> #OCSP-certificate-status-checking and an example using libcurl is at:
>> http://www.gnutls.org/manual/html_node/OCSP-example.html#OCSP-example
> Right now I am interested in 1. (OCSP Stapling).
> It took a while for me to find a server that is appropriately configured.
> Testing with OpenSSL
> $ openssl s_client -connect movlib.org:443 -tls1 -tlsextdebug -status
[...]
> In my verify callback routine (after gnutls_certificate_verify_peers3()),
> gnutls_ocsp_status_request_is_checked() always returns 0.

There is something strange with that server. I check the wireshark
output of a connection to that server with openssl and the one with
gnutls. They are different. With gnutls client the server doesn't
advertise its support for ocsp and doesn't send the ocsp response. The
contents of the extension sent by the client are the same in both
cases.

regards,
Nikos



More information about the Gnutls-devel mailing list