[gnutls-devel] Looking for OCSP Stapling client example

Tim Ruehsen tim.ruehsen at gmx.de
Thu Nov 13 11:23:08 CET 2014


On Thursday 13 November 2014 10:21:07 Nikos Mavrogiannopoulos wrote:
> On Wed, Nov 12, 2014 at 12:38 PM, Tim Ruehsen <tim.ruehsen at gmx.de> wrote:
> >> 2. Query the OCSP servers of the certificates that you received
> >> manually. This pretty much involves making HTTP queries, and is
> >> discussed at:
> >> http://www.gnutls.org/manual/html_node/OCSP-certificate-status-checking.h
> >> tml #OCSP-certificate-status-checking and an example using libcurl is at:
> >> http://www.gnutls.org/manual/html_node/OCSP-example.html#OCSP-example> 
> > Right now I am interested in 1. (OCSP Stapling).
> > It took a while for me to find a server that is appropriately configured.
> > Testing with OpenSSL
> > $ openssl s_client -connect movlib.org:443 -tls1 -tlsextdebug -status
> 
> [...]
> 
> > In my verify callback routine (after gnutls_certificate_verify_peers3()),
> > gnutls_ocsp_status_request_is_checked() always returns 0.
> 
> There is something strange with that server. I check the wireshark
> output of a connection to that server with openssl and the one with
> gnutls. They are different. With gnutls client the server doesn't
> advertise its support for ocsp and doesn't send the ocsp response. The
> contents of the extension sent by the client are the same in both
> cases.

I can't find a working web server. They seem to behave like movlib.org,
e.g. take blog.cloudflare.com:443.

They seemingly made lot's of tests:
http://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/

Tim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20141113/80343b77/attachment.sig>


More information about the Gnutls-devel mailing list