[gnutls-devel] Support for OCSP Must-staple ?

Jouni Malinen jkmalinen at gmail.com
Mon May 23 10:14:42 CEST 2016

On Mon, May 23, 2016 at 10:43 AM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> That's very nice. It certainly helps me prioritise that higher. My
> question is how do you have administrators to provide the multiple
> responses in your implementation?

Since the main use case for hostapd as authentication server is
testing purposes, I'm simply using a file with the fixed responses
(DER encoded OCSPResponseList). Or well, the file can be replaced as
an update at runtime, but anyway, all the details on how to generate
the actual OCSP responses is out-of-scope for hostapd. For the
automated testing needs, I have the test script build this from two
OCSP responses

# Cached OCSP stapling response list (DER encoded OCSPResponseList)
# This is similar to ocsp_stapling_response, but the extended version defined in
# RFC 6961 to allow multiple OCSP responses to be provided.

That reference to ocsp_stapling_response is the pre-RFC 6961 case of a
single response. The data in that file is exactly what I return from
the callback function registered with
gnutls_certificate_set_ocsp_status_request_function(). For ocsp_multi,
I'd need to either have the callback function return that DER encoded
OCSPResponseList or make the function convert it to whatever the
GnuTLS API needs for this on the server side.

- Jouni

More information about the Gnutls-devel mailing list