[gnutls-devel] OCSP for www.google.com

Tim Ruehsen tim.ruehsen at gmx.de
Thu Jan 15 17:16:33 CET 2015


On Thursday 15 January 2015 16:53:22 Nikos Mavrogiannopoulos wrote:
> On Thu, Jan 15, 2015 at 4:18 PM, Tim Ruehsen <tim.ruehsen at gmx.de> wrote:
> > Wow Nikos, that was fast ! Thank you.
> > I'll try it out soon.

I put the code into mget and works like a charm !

> > Just a follow-up question regarding OCSP.
> > Looking at
> > http://security.stackexchange.com/questions/56239/secure-connection-faile
> > d-ocsp, there is a comment:
> > 
> > "By the way, OCSP stapling can only staple info for one certificate. The
> > browser will still have to contact your intermediate certificates' OCSP
> > servers unless you've recently visited another website using the same
> > ones.
> > (There's an RFC for stapling multiple certs in progress.) -  Matt
> > Nordhoff"
> > To me, this sounds reasonable. Shouldn't the ocsptool loop over the
> > complete cert list and check each cert ? What do you think ?
> 
> Indeed, that would be the right thing to do. If there is a patch for
> that I'll apply it.
> 
> For completeness there is also rfc6961, which allows for multiple OCSP
> staples to
> be included in the server's reply, but doesn't seem to be supported by
> anyone. I have an implementation in some branch of gnutls, but as I
> couldn't make interop
> check with anyone, it is left out.

I have a look at it tomorrow. Thanks for making clear.

Tim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20150115/be3386b4/attachment.sig>


More information about the Gnutls-devel mailing list