[gnutls-devel] Looking for OCSP Stapling client example

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri Nov 14 20:57:57 CET 2014

On Thu, 2014-11-13 at 11:47 +0100, Tim Ruehsen wrote:

> > > > In my verify callback routine (after
> > > > gnutls_certificate_verify_peers3()),
> > > > gnutls_ocsp_status_request_is_checked() always returns 0.
> > > There is something strange with that server. I check the wireshark
> > > output of a connection to that server with openssl and the one with
> > > gnutls. They are different. With gnutls client the server doesn't
> > > advertise its support for ocsp and doesn't send the ocsp response. The
> > > contents of the extension sent by the client are the same in both
> > > cases.
> > I can't find a working web server. They seem to behave like movlib.org,
> > e.g. take blog.cloudflare.com:443.
> > They seemingly made lot's of tests:
> > http://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/
> More examples: yahoo.com and yandex.ru.

Thanks for insisting. It seems that there is an issue in libtasn1 which
does not properly re-encode these OCSP responses, and as far as I see
this is a persistent issue. OCSP responders must have switched from
setting the issuer's DN to setting the SHA1 hash of the key, and that
must have uncovered the issue. I don't think if I can manage to work on
libtasn1, but I've worked around the issue in gnutls 3.3 branch, so
unfortunately you cannot rely on the verification of OCSP stapled
responses with the released versions of gnutls.


More information about the Gnutls-devel mailing list