[gnutls-devel] Looking for OCSP Stapling client example

[Tim Ruehsen]

On Friday 14 November 2014 20:57:57 Nikos Mavrogiannopoulos wrote:
> On Thu, 2014-11-13 at 11:47 +0100, Tim Ruehsen wrote:
> > > > > In my verify callback routine (after
> > > > > gnutls_certificate_verify_peers3()),
> > > > > gnutls_ocsp_status_request_is_checked() always returns 0.
> > > > 
> > > > There is something strange with that server. I check the wireshark
> > > > output of a connection to that server with openssl and the one with
> > > > gnutls. They are different. With gnutls client the server doesn't
> > > > advertise its support for ocsp and doesn't send the ocsp response. The
> > > > contents of the extension sent by the client are the same in both
> > > > cases.
> > > 
> > > I can't find a working web server. They seem to behave like movlib.org,
> > > e.g. take blog.cloudflare.com:443.
> > > They seemingly made lot's of tests:
> > > http://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30
> > > /
> > 
> > More examples: yahoo.com and yandex.ru.
> 
> Thanks for insisting. It seems that there is an issue in libtasn1 which
> does not properly re-encode these OCSP responses, and as far as I see
> this is a persistent issue. OCSP responders must have switched from
> setting the issuer's DN to setting the SHA1 hash of the key, and that
> must have uncovered the issue. I don't think if I can manage to work on
> libtasn1, but I've worked around the issue in gnutls 3.3 branch, so
> unfortunately you cannot rely on the verification of OCSP stapled
> responses with the released versions of gnutls.

Thanks for having a second look.

There is no pressure and I am just looking forward to the next release of 
GnuTLS.

Tim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20141117/d2945dfe/attachment.sig>