[gnutls-devel] OCSP / gnutls_ocsp_status_request_is_checked()
Nikos Mavrogiannopoulos
nmav at gnutls.org
Mon Jan 19 18:46:44 CET 2015
On Mon, 2015-01-19 at 17:06 +0100, Tim Ruehsen wrote:
> Sounds like a hen/egg problem to me.
> Since many web sites nowadays use intermediate CA certs, multi-stapling will
> have the same benefits as the introduction of OCSP stapling.
> I don't quite understand "will require some tool support". How can I help ?
> Let gnutls-cli use the ocsp2 code (e.g. new option --ocsp-multi) ?
I see that there are files missing from my branch, I hope that I still
have them somewhere. However, my concern when I was developing it, was
that there is no standard format to store multiple ocsp responses. So I
made a quick hack with a binary format which will require minimal
parsing by the sending server. However, ocsptool doesn't generate that
format, nor there is a way to easily combine multiple responses into
that. That's what is currently missing.
The format is the same as OCSPResponseList in the wire of rfc6961, plus
a header GNUTLS_OCSP_MULTI_MAGIC.
opaque OCSPResponse<0..2^24-1>;
#each response is prefixed with an 24-bit integer showing length
struct {
OCSPResponse ocsp_response_list<1..2^24-1>;
} OCSPResponseList;
# the list has a 24-bit integer showing it's length in bytes, and
consists of multiple OCSPResponse structs.
This was the missing part.
regards,
Nikos
More information about the Gnutls-devel
mailing list