[gnutls-devel] Looking for OCSP Stapling client example
Tim Ruehsen
tim.ruehsen at gmx.de
Wed Nov 12 12:38:25 CET 2014
Hi Nikos,
thanks for your answer.
On Friday 07 November 2014 19:17:16 Nikos Mavrogiannopoulos wrote:
> On Fri, 2014-11-07 at 14:15 +0100, Tim Ruehsen wrote:
> > Hi,
> >
> > could you point to GnuTLS client code that uses OCSP Stapling and/or some
> > docs that explains how to implement this for a client ?
>
> You mean verification of the servers certificate using OCSP? That is
> already discussed in the manual, maybe not in a clear way.
>
> There are two options for a client (and you can combined them):
> 1. Rely on the server's status request which attaches an OCSP response
> during handshake. This is check automatically by gnutls if available
> and you can query whether it was checked using
> gnutls_ocsp_status_request_is_checked(). Limitation: it only checks the
> server's end certificate (so if there are intermediate CAs which are
> revoked you may never know).
> http://www.gnutls.org/manual/html_node/OCSP-status-request.html#OCSP-status-> request
>
> 2. Query the OCSP servers of the certificates that you received
> manually. This pretty much involves making HTTP queries, and is
> discussed at:
> http://www.gnutls.org/manual/html_node/OCSP-certificate-status-checking.html
> #OCSP-certificate-status-checking and an example using libcurl is at:
> http://www.gnutls.org/manual/html_node/OCSP-example.html#OCSP-example
Right now I am interested in 1. (OCSP Stapling).
It took a while for me to find a server that is appropriately configured.
Testing with OpenSSL
$ openssl s_client -connect movlib.org:443 -tls1 -tlsextdebug -status
...
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = IL, O = StartCom Ltd. (Start Commercial Limited), CN =
StartCom Class 1 Server OCSP Signer
Produced At: Nov 11 19:31:12 2014 GMT
...
In my verify callback routine (after gnutls_certificate_verify_peers3()),
gnutls_ocsp_status_request_is_checked() always returns 0.
Even when explicitly calling gnutls_ocsp_status_request_enable_client() before
handshake.
Do you have any idea, what is going wrong or how to find out ?
gnutls-cli --ocsp seems only to work 2. (Querying OCSP Server) !?
$ gnutls-cli --version
gnutls-cli 3.3.8
> The above example sets a nonce in the message to ensure that the reply
> received from the OCSP server is fresh. That unfortunately as far as I
> remember is supported by almost no servers, so you may want to skip it
> (or test it and see how it is now). You can also check gnutls-cli how it
> checks against the ocsp servers. Suggestions or patches to improve the
> documentation are welcome.
The docs of gnutls_ocsp_status_request_is_checked() say that this function
only works after gnutls_certificate_verify_peers3(). What about
gnutls_certificate_verify_peers2() ?
What you wrote above (1. and 2.) should go (a bit polished) in here:
> http://www.gnutls.org/manual/html_node/OCSP-status-request.html#OCSP-status-> request
Regards, Tim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20141112/2be8cb2c/attachment.sig>
More information about the Gnutls-devel
mailing list