[gnutls-devel] OCSP RFC6961 for web servers

Tim Ruehsen tim.ruehsen at gmx.de
Fri Feb 6 15:16:08 CET 2015


On Friday 06 February 2015 11:41:59 Nikos Mavrogiannopoulos wrote:
> On Fri, 2015-02-06 at 11:05 +0100, Tim Ruehsen wrote:
> > First, many thanks for your clarifications.
> > 
> > On Wednesday 04 February 2015 17:29:33 Nikos Mavrogiannopoulos wrote:
> > > > I thought ocsptool is to generate requests (and responses) for OCSP
> > > > responders. What has this to do with the TLS extension
> > > > status_request_v2
> > > > (despite the fact that a HTTPS server could use the responses to build
> > > > status_request_v2 stapled responses for the 'Server Hello').
> > > 
> > > Exactly (though, the status request response isn't sent on server
> > > hello). We need a way/tool for server operators to gather and
> > > concatenate their OCSP responses in a format gnutls will understand.
> > > ocsptool ought to do that.
> > 
> > From status_request.c/_gnutls_status_request_decode_raw_resp() I can see,
> > that the file format has already already fixed for v2.
> > 
> > Just to be in line with you... Do you think it is appropriate to add an
> > CLI
> > option to ocsptool (e.g. --merge-response=file1,file2,...) to merge
> > several
> > response files into one file (specified by --outfile) readable by the
> > library code ?
> 
> That could be an option. In that case it will be challenging to make the
> merged file correspond to the certificate chain (e.g., response 0
> correspond to cert 0 ...). A simpler approach may be to do something
> like:
> $ ocsptool --ask-multi mychain.pem --outfile multi.ocsp

I admit, I have no idea how to create a cert chain PEM file. I have not much 
knowledge of web server administration. And I have not enough  knowledge of 
the GnuTLS API (and/or data structure) to play around with 'cert chain' files.
I am not sure If I have the time to take a deeper look into that. Too many 
other tasks waiting...

Tim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20150206/4c7ae608/attachment.sig>


More information about the Gnutls-devel mailing list