[gnutls-devel] Implementing RFC 7633 to support mandatory OCSP stapling.

Kurt Roeckx kurt at roeckx.be
Mon Dec 21 10:33:52 CET 2015


On Mon, Dec 21, 2015 at 10:21:00AM +0200, Nikos Mavrogiannopoulos wrote:
> On Sun, Dec 20, 2015 at 4:34 PM, Tim Kosse
> <tim.kosse at filezilla-project.org> wrote:
> > Hi,
> > I took a shot at implementing RFC 7633 which can be used to make OCSP
> > stapling mandatory.
> > Attached is a proof-of-concept series of patches that implements
> > checking for a missing certificate status during the handshake. I have
> > manually tested this functionality against
> > https://must-staple.serverhello.com/ and
> > https://must-staple-no-ocsp.serverhello.com/
> > Before continuing, I'd like your opinion on the patch series so far.
> 
> Thank you for the patch; it very is consistent with existing code. Do
> you know any plans on other implementations to use/rely on that
> extension?

OpenSSL has added support for setting and displaying it in the
certificate.  I think someone is also working on a patch to check
it in s_client.


Kurt




More information about the Gnutls-devel mailing list