[gnutls-devel] Interaction between TLS session resumption and the OCSP must-staple certificate extension
Tim Kosse
tim.kosse at filezilla-project.org
Tue Jun 27 20:07:26 CEST 2017
Hi,
On 2017-06-27 17:22, TJ Saunders wrote:
> If we are to ignore the ClientHello extensions for a resumed session,
> then we would not send the stapled OCSP response. The RFC 6066 Section
> 1.1 text, in my reading, says that the ServerHello emitted by the TLS
> server, for a resumed session, MUST NOT contain any of the TLS
> extensions -- and this would include the stapled OCSP response. That
> is, the ServerHello of the resumed session must be different; it is not
> described as being a "replay" of the original ServerHello.
The stapled OCSP reponse is sent in a separate CertificateStatus
handshake packet, it is not part even part of the ServerHello.
Regards,
Tim
More information about the Gnutls-devel
mailing list