[gnutls-devel] [PATCH] OCSP check the whole cert chain

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Feb 4 10:15:26 CET 2015


On Mon, 2015-02-02 at 16:27 +0100, Tim Ruehsen wrote:

> please have a look at src/cli.c/cert_verify_ocsp().
> You changed the last line in this function in a way, that if there are revoked 
> certs in the chain but at least one not-revoked cert, the function returns 
> 'ok'. Which it should not and which it did not in my patch.

Indeed, I was trying to address the issue of having unknown status in an
OCSP response. I'll have to treat revoked and unknown as different.

regards,
Nikos





More information about the Gnutls-devel mailing list