[gnutls-devel] Implementing RFC 7633 to support mandatory OCSP stapling.

Tim Kosse tim.kosse at filezilla-project.org
Sun Dec 20 15:34:36 CET 2015


Hi,

I took a shot at implementing RFC 7633 which can be used to make OCSP
stapling mandatory.

Attached is a proof-of-concept series of patches that implements
checking for a missing certificate status during the handshake. I have
manually tested this functionality against
https://must-staple.serverhello.com/ and
https://must-staple-no-ocsp.serverhello.com/

Before continuing, I'd like your opinion on the patch series so far.


The things still missing which I'll implement after incorporating your
feedback:
- Documentation
- Tests
- Setting this extension in certificates and CSRs

Regards,
Tim Kosse
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-If-we-have-sent-an-OCSP-status-request-and-have-not-.patch
Type: text/x-patch
Size: 3939 bytes
Desc: not available
URL: </pipermail/attachments/20151220/ca5b7ba1/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-the-TLS-Features-extension-from-RFC-7633-to-the-.patch
Type: text/x-patch
Size: 1359 bytes
Desc: not available
URL: </pipermail/attachments/20151220/ca5b7ba1/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Implement-functions-to-parse-the-TLSFeatures-X.509-e.patch
Type: text/x-patch
Size: 8287 bytes
Desc: not available
URL: </pipermail/attachments/20151220/ca5b7ba1/attachment-0002.bin>


More information about the Gnutls-devel mailing list