[gnutls-devel] support of stapled OCSP responses under TLS1.3

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Mon Nov 20 08:56:43 CET 2017


On Fri, Oct 13, 2017 at 1:50 PM, Nikos Mavrogiannopoulos
<n.mavrogiannopoulos at gmail.com> wrote:
> Hi,
>  I'm going through the support of stapled OCSP responses under TLS1.3.
> The major change in TLS1.3 is that there can be an OCSP response for
> each certificate sent, rather than one response for the
> end-certificate, and such responses can be provided also for the
> client certificate.
> Supporting multiple responses when verifying the certificates seems
> straightforward as we were doing that transparently without the
> application intervening.
[...]

Hi,
 The merge request introducing multiple OCSP staples under TLS1.3 is at:
https://gitlab.com/gnutls/gnutls/merge_requests/548

It tries hard not to require new APIs by enhancing
gnutls_certificate_set_ocsp_status_request_file() to parse the
response file and associate it with a certificate. On the other hand,
a new callback could not be avoided to retrieve more than one
responses, hence
gnutls_certificate_set_ocsp_status_request_function3() is added, as
well as gnutls_ocsp_status_request_get2() for application to read the
responses.

I'd appreciate a review on that new functionality if you are already
familiar with the previous OCSP handling code, or intend to use it.

After a discussion with Hubert Kario, I've also opened [0] which is
about automating the retrieval of OCSP responses and association with
server credentials, to reduce complexity from servers. It's currently
a bit low priority in the tls1.3 plan [1], and up for grabs, but it
would make an application server's code much simpler.

regards,
Nikos

[0]. https://gitlab.com/gnutls/gnutls/issues/326
[1]. https://gitlab.com/gnutls/gnutls/milestones/8



More information about the Gnutls-devel mailing list