[gnutls-devel] [PATCH] OCSP check the whole cert chain
tim.ruehsen at gmx.de
Mon Feb 2 16:27:11 CET 2015
On Monday 19 January 2015 15:33:47 Nikos Mavrogiannopoulos wrote:
> On Sat, Jan 17, 2015 at 2:55 PM, Tim Rühsen <tim.ruehsen at gmx.de> wrote:
> >> > (There's an RFC for stapling multiple certs in progress.) - Matt
> >> > Nordhoff"
> >> > To me, this sounds reasonable. Shouldn't the ocsptool loop over the
> >> > complete cert list and check each cert ? What do you think ?
> >> Indeed, that would be the right thing to do. If there is a patch for
> >> that I'll apply it.
> > Hi Nikos,
> > I made up a first patch to check the whole cert chain.
> > Not sure what to do for e.g. www.google.com where the last cert in the
> > chain is not verifiable via OCSP.
> Thank you. I've applied a modified patch, where this is skipped. With
> the updated patch, we check OCSP for the certificates we have
> information to use. For the others, we simply cannot check them.
please have a look at src/cli.c/cert_verify_ocsp().
You changed the last line in this function in a way, that if there are revoked
certs in the chain but at least one not-revoked cert, the function returns
'ok'. Which it should not and which it did not in my patch.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: This is a digitally signed message part.
More information about the Gnutls-devel