[gnutls-devel] OCSP RFC6961 for web servers

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri Feb 6 11:41:59 CET 2015

On Fri, 2015-02-06 at 11:05 +0100, Tim Ruehsen wrote:
> First, many thanks for your clarifications.
> On Wednesday 04 February 2015 17:29:33 Nikos Mavrogiannopoulos wrote:
> > > I thought ocsptool is to generate requests (and responses) for OCSP
> > > responders. What has this to do with the TLS extension status_request_v2
> > > (despite the fact that a HTTPS server could use the responses to build
> > > status_request_v2 stapled responses for the 'Server Hello').
> > 
> > Exactly (though, the status request response isn't sent on server
> > hello). We need a way/tool for server operators to gather and
> > concatenate their OCSP responses in a format gnutls will understand.
> > ocsptool ought to do that.
> From status_request.c/_gnutls_status_request_decode_raw_resp() I can see, that 
> the file format has already already fixed for v2.
> Just to be in line with you... Do you think it is appropriate to add an CLI 
> option to ocsptool (e.g. --merge-response=file1,file2,...) to merge several 
> response files into one file (specified by --outfile) readable by the library 
> code ?

That could be an option. In that case it will be challenging to make the
merged file correspond to the certificate chain (e.g., response 0
correspond to cert 0 ...). A simpler approach may be to do something
$ ocsptool --ask-multi mychain.pem --outfile multi.ocsp

More information about the Gnutls-devel mailing list