[gnutls-devel] gnutls-cli OCSP test code for branch 'ocsp2'
Tim Ruehsen
tim.ruehsen at gmx.de
Wed Feb 4 11:05:51 CET 2015
On Wednesday 04 February 2015 11:01:19 Nikos Mavrogiannopoulos wrote:
> On Wed, 2015-02-04 at 09:31 +0100, Tim Ruehsen wrote:
> > On Tuesday 03 February 2015 12:15:28 Tim Ruehsen wrote:
> > > The 'Server Hello' has a 'status_request' inside (type 5, length 0).
> > > But gnutls_ocsp_status_request_is_checked() returns 0.
> > > This seems wrong in libgnutls... I would expect a return value of 1 in
> > > this
> > > case.
> >
> > Here is a fix.
>
> I don't think that this is related. However, at the current state the
> packets generated seem to be in accordance with wireshark, so as far as
> I understand, it remains to properly support it on the server side by
> enhancing the ocsptool to generate a combined status request, as well as
> accounting the multiple OCSP responses received on peer's certificate
> verification.
The fix just handles the case where status_request and status_request_v2 both
are sent (client hello), but the answer (server hello) just includes
status_request.
I guess, that will be pretty common the next few months/years.
Tim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20150204/ed6ff0a2/attachment.sig>
More information about the Gnutls-devel
mailing list