[gnutls-devel] Looking for OCSP Stapling client example

Tim Ruehsen tim.ruehsen at gmx.de
Thu Nov 13 11:47:50 CET 2014


On Thursday 13 November 2014 11:23:08 Tim Ruehsen wrote:
> On Thursday 13 November 2014 10:21:07 Nikos Mavrogiannopoulos wrote:
> > On Wed, Nov 12, 2014 at 12:38 PM, Tim Ruehsen <tim.ruehsen at gmx.de> wrote:
> > >> 2. Query the OCSP servers of the certificates that you received
> > >> manually. This pretty much involves making HTTP queries, and is
> > >> discussed at:
> > >> http://www.gnutls.org/manual/html_node/OCSP-certificate-status-checking
> > >> .h
> > >> tml #OCSP-certificate-status-checking and an example using libcurl is
> > >> at:
> > >> http://www.gnutls.org/manual/html_node/OCSP-example.html#OCSP-example>
> > > 
> > > Right now I am interested in 1. (OCSP Stapling).
> > > It took a while for me to find a server that is appropriately
> > > configured.
> > > Testing with OpenSSL
> > > $ openssl s_client -connect movlib.org:443 -tls1 -tlsextdebug -status
> > 
> > [...]
> > 
> > > In my verify callback routine (after
> > > gnutls_certificate_verify_peers3()),
> > > gnutls_ocsp_status_request_is_checked() always returns 0.
> > 
> > There is something strange with that server. I check the wireshark
> > output of a connection to that server with openssl and the one with
> > gnutls. They are different. With gnutls client the server doesn't
> > advertise its support for ocsp and doesn't send the ocsp response. The
> > contents of the extension sent by the client are the same in both
> > cases.
> 
> I can't find a working web server. They seem to behave like movlib.org,
> e.g. take blog.cloudflare.com:443.
> 
> They seemingly made lot's of tests:
> http://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/

More examples: yahoo.com and yandex.ru.

Tim



More information about the Gnutls-devel mailing list