[gnutls-devel] support of stapled OCSP responses under TLS1.3
n.mavrogiannopoulos at gmail.com
Mon Nov 20 08:56:43 CET 2017
On Fri, Oct 13, 2017 at 1:50 PM, Nikos Mavrogiannopoulos
<n.mavrogiannopoulos at gmail.com> wrote:
> I'm going through the support of stapled OCSP responses under TLS1.3.
> The major change in TLS1.3 is that there can be an OCSP response for
> each certificate sent, rather than one response for the
> end-certificate, and such responses can be provided also for the
> client certificate.
> Supporting multiple responses when verifying the certificates seems
> straightforward as we were doing that transparently without the
> application intervening.
The merge request introducing multiple OCSP staples under TLS1.3 is at:
It tries hard not to require new APIs by enhancing
gnutls_certificate_set_ocsp_status_request_file() to parse the
response file and associate it with a certificate. On the other hand,
a new callback could not be avoided to retrieve more than one
gnutls_certificate_set_ocsp_status_request_function3() is added, as
well as gnutls_ocsp_status_request_get2() for application to read the
I'd appreciate a review on that new functionality if you are already
familiar with the previous OCSP handling code, or intend to use it.
After a discussion with Hubert Kario, I've also opened  which is
about automating the retrieval of OCSP responses and association with
server credentials, to reduce complexity from servers. It's currently
a bit low priority in the tls1.3 plan , and up for grabs, but it
would make an application server's code much simpler.
More information about the Gnutls-devel