[gnutls-devel] Support for OCSP Must-staple ?

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri May 20 17:32:35 CEST 2016


On Fri, May 20, 2016 at 3:28 PM, Tim Ruehsen <tim.ruehsen at gmx.de> wrote:
> On Friday 20 May 2016 13:02:17 Jeremy Harris wrote:
>> On 20/05/16 11:49, Tim Ruehsen wrote:
>> > do you have any plans to implement/support RFC7633 in the near future ?
>>
>> While we're asking, how about rfc6961 (full-chain staple) also?
>
> From my todo list ;-)
>     add OCSP multi-stapling by simply merging the OCSP answers into one ASN.1
> file. gnutls-cli has to extended for that, the low-level stuff should be done
> in 3.4 branch.
>     add OCSP multi-stapling to gnutls-serv, so we can test gnutls-cli with
> gnutls-serv.
>     add support for this file in modgnutls of Apache, it should be straight
> forward. the GNUTLS API should be ready for doing that.
>     add OCSP multi-stapling to wget2. We can test with modgnutls or gnutls-
> serv.
> We had some discussion about it on this list one or two years ago.
> But tasks are always interrupted by higher priority tasks which are
> interrupted by ... never ending story :-(

That attempt is on the ocsp2 branch at:
https://gitlab.com/gnutls/gnutls/commits/ocsp2

I don't remember how far it was gone, or whether it can apply on
master, but I remember I didn't follow up because there were no other
implementations of it, nor any plans for it. I can see it is still
open at NSS and openssl. However, with the track OCSP stapling is
taking, this will become something required in the future. So if there
is someone to push for it and creates the required tooling (for an
admin to agreegate ocsp responses) I'm all for it to include it.

regards,
Nikos



More information about the Gnutls-devel mailing list