[gnutls-devel] OCSP / gnutls_ocsp_status_request_is_checked()

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Jan 19 15:49:24 CET 2015


On Mon, Jan 19, 2015 at 2:36 PM, Tim Ruehsen <tim.ruehsen at gmx.de> wrote:
> Hi,
>
> for caching and user information purposes I would like to see
> gnutls_ocsp_status_request_is_checked() (or a new function, see below)
> return three states:
>
> 1. no stapled OCSP response
> 2. cert is valid
> 3. cert has been revoked

Note that (2) and (3) you get already during the
certificate_verify_peers() process. The
gnutls_ocsp_status_request_is_checked() is to check for informative
purposes whether the stapled OCSP response was taken into account in
the certification. Since this gnutls_ocsp_status_request_is_checked()
accepts flags, we could add a flag to modify its semantics if you
think that some information is not yet available.

> Since we have to check the whole cert chain (you already mentioned rfc 6961),
> I suggest a new function that returns an array of result codes, one for each
> cert in the chain. Similar to gnutls_certificate_get_peers(). Each result code
> with e.g. Notavail, Valid or Revoked.
> This approach would work with the current state (one stapled response) and
> with future implementations of rfc 6961 (without it, OCSP stapling seems
> totally incomplete).
> Maybe it's time to contact the Apache and Nginx people to think about rfc
> 6961?

Well, I guess so. I've put in ocsp2 branch my experimental patch for
gnutls supporting that:
https://gitorious.org/gnutls/gnutls/commit/f24c5cdb73cf0e10cfe90d28e564e780b36c0142
It most probably doesn't apply as it now, and will require some tool
support (to combine the multiple ocsp responses into a file). Not sure
if I'll have time to complete it sometime soon.

regards,
Nikos



More information about the Gnutls-devel mailing list