[gnutls-devel] Implementing RFC 7633 to support mandatory OCSP stapling.

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Dec 21 09:21:00 CET 2015

On Sun, Dec 20, 2015 at 4:34 PM, Tim Kosse
<tim.kosse at filezilla-project.org> wrote:
> Hi,
> I took a shot at implementing RFC 7633 which can be used to make OCSP
> stapling mandatory.
> Attached is a proof-of-concept series of patches that implements
> checking for a missing certificate status during the handshake. I have
> manually tested this functionality against
> https://must-staple.serverhello.com/ and
> https://must-staple-no-ocsp.serverhello.com/
> Before continuing, I'd like your opinion on the patch series so far.

Thank you for the patch; it very is consistent with existing code. Do
you know any plans on other implementations to use/rely on that

Some comments:
1. "To proceed, first check whether we have requested the certificate status"
Even though it's a simple check I'd suggest to use

2. Would it make sense to use gnutls_x509_ext_tlsfeatures_get()
instead of gnutls_x509_crt_get_tlsfeature() to reduce the multiple
decodings of this extension in case more than one features are
present? In that case the checking for tlsfeatures would have to move
to a separate function.


More information about the Gnutls-devel mailing list