[gnutls-devel] OCSP for www.google.com

Tim Ruehsen tim.ruehsen at gmx.de
Thu Jan 15 16:18:50 CET 2015

On Thursday 15 January 2015 15:54:16 Nikos Mavrogiannopoulos wrote:
> On Thu, Jan 15, 2015 at 2:50 PM, Tim Ruehsen <tim.ruehsen at gmx.de> wrote:
> > Hi,
> > using gnutls-cli (3.3.11-1 from Debian Experimental) with --ocsp does not
> > work for www.google.com. My question is, does gnutls and/or google fail ?
> It seems gnutls-cli (and ocsptool) fail early when they don't
> understand the first entry in the AIA extension.
> This patch on ocsptool fixes the issue:
> https://gitorious.org/gnutls/gnutls/commit/11eebe14b232ec198d1446a3720e6ed78
> d118c4b

Wow Nikos, that was fast ! Thank you.

I'll try it out soon.

Just a follow-up question regarding OCSP.
Looking at http://security.stackexchange.com/questions/56239/secure-connection-failed-ocsp, there is a comment:

"By the way, OCSP stapling can only staple info for one certificate. The 
browser will still have to contact your intermediate certificates' OCSP 
servers unless you've recently visited another website using the same ones. 
(There's an RFC for stapling multiple certs in progress.) –  Matt Nordhoff"

To me, this sounds reasonable. Shouldn't the ocsptool loop over the complete 
cert list and check each cert ? What do you think ?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20150115/46740105/attachment-0001.sig>

More information about the Gnutls-devel mailing list