[gnutls-devel] Support for OCSP Must-staple ?

Tim Ruehsen tim.ruehsen at gmx.de
Fri May 20 15:28:31 CEST 2016


On Friday 20 May 2016 13:02:17 Jeremy Harris wrote:
> On 20/05/16 11:49, Tim Ruehsen wrote:
> > do you have any plans to implement/support RFC7633 in the near future ?
> 
> While we're asking, how about rfc6961 (full-chain staple) also?

From my todo list ;-)

    add OCSP multi-stapling by simply merging the OCSP answers into one ASN.1 
file. gnutls-cli has to extended for that, the low-level stuff should be done 
in 3.4 branch.
    add OCSP multi-stapling to gnutls-serv, so we can test gnutls-cli with 
gnutls-serv.
    add support for this file in modgnutls of Apache, it should be straight 
forward. the GNUTLS API should be ready for doing that.
    add OCSP multi-stapling to wget2. We can test with modgnutls or gnutls-
serv.


We had some discussion about it on this list one or two years ago.
But tasks are always interrupted by higher priority tasks which are 
interrupted by ... never ending story :-(

Regarding the RFC6961... do you know of any implementation (library, client, 
server) ?
You'll find some discussions when searching for mozilla/rfc6961/ocsp... from 
what I read browser vendors doesn't like the overhead of multi-stapling. They 
go with a combination of single-stapling and caching.

So, before implementing RFC6961 you should investigate the usefulness and 
alternatives. And you should come with server support for Apache and Nginx.
Having working code for gnutls-cli and gnutls-serv could of course be a big 
advantage to get it rolling.

Regards, Tim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20160520/f1ce8c3c/attachment-0001.sig>


More information about the Gnutls-devel mailing list