[gnutls-devel] Support for OCSP Must-staple ?
tim.ruehsen at gmx.de
Fri May 20 15:28:31 CEST 2016
On Friday 20 May 2016 13:02:17 Jeremy Harris wrote:
> On 20/05/16 11:49, Tim Ruehsen wrote:
> > do you have any plans to implement/support RFC7633 in the near future ?
> While we're asking, how about rfc6961 (full-chain staple) also?
From my todo list ;-)
add OCSP multi-stapling by simply merging the OCSP answers into one ASN.1
file. gnutls-cli has to extended for that, the low-level stuff should be done
in 3.4 branch.
add OCSP multi-stapling to gnutls-serv, so we can test gnutls-cli with
add support for this file in modgnutls of Apache, it should be straight
forward. the GNUTLS API should be ready for doing that.
add OCSP multi-stapling to wget2. We can test with modgnutls or gnutls-
We had some discussion about it on this list one or two years ago.
But tasks are always interrupted by higher priority tasks which are
interrupted by ... never ending story :-(
Regarding the RFC6961... do you know of any implementation (library, client,
You'll find some discussions when searching for mozilla/rfc6961/ocsp... from
what I read browser vendors doesn't like the overhead of multi-stapling. They
go with a combination of single-stapling and caching.
So, before implementing RFC6961 you should investigate the usefulness and
alternatives. And you should come with server support for Apache and Nginx.
Having working code for gnutls-cli and gnutls-serv could of course be a big
advantage to get it rolling.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: This is a digitally signed message part.
More information about the Gnutls-devel