[gnutls-devel] [PATCH] OCSP check the whole cert chain

Tim Ruehsen tim.ruehsen at gmx.de
Mon Feb 2 16:27:11 CET 2015

On Monday 19 January 2015 15:33:47 Nikos Mavrogiannopoulos wrote:
> On Sat, Jan 17, 2015 at 2:55 PM, Tim Rühsen <tim.ruehsen at gmx.de> wrote:
> >> > (There's an RFC for stapling multiple certs in progress.) -  Matt
> >> > Nordhoff"
> >> > To me, this sounds reasonable. Shouldn't the ocsptool loop over the
> >> > complete cert list and check each cert ? What do you think ?
> >> 
> >> Indeed, that would be the right thing to do. If there is a patch for
> >> that I'll apply it.
> > 
> > Hi Nikos,
> > I made up a first patch to check the whole cert chain.
> > Not sure what to do for e.g. www.google.com where the last cert in the
> > chain is not verifiable via OCSP.
> Thank you. I've applied a modified patch, where this is skipped. With
> the updated patch, we check OCSP for the certificates we have
> information to use. For the others, we simply cannot check them.

Hi Nikos,

please have a look at src/cli.c/cert_verify_ocsp().

You changed the last line in this function in a way, that if there are revoked 
certs in the chain but at least one not-revoked cert, the function returns 
'ok'. Which it should not and which it did not in my patch.

Regards, Tim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20150202/a6682776/attachment-0001.sig>

More information about the Gnutls-devel mailing list