[gnutls-devel] OCSP for www.google.com

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Jan 15 16:53:22 CET 2015

On Thu, Jan 15, 2015 at 4:18 PM, Tim Ruehsen <tim.ruehsen at gmx.de> wrote:
> Wow Nikos, that was fast ! Thank you.
> I'll try it out soon.
> Just a follow-up question regarding OCSP.
> Looking at http://security.stackexchange.com/questions/56239/secure-connection-failed-ocsp, there is a comment:
> "By the way, OCSP stapling can only staple info for one certificate. The
> browser will still have to contact your intermediate certificates' OCSP
> servers unless you've recently visited another website using the same ones.
> (There's an RFC for stapling multiple certs in progress.) -  Matt Nordhoff"
> To me, this sounds reasonable. Shouldn't the ocsptool loop over the complete
> cert list and check each cert ? What do you think ?

Indeed, that would be the right thing to do. If there is a patch for
that I'll apply it.

For completeness there is also rfc6961, which allows for multiple OCSP
staples to
be included in the server's reply, but doesn't seem to be supported by anyone.
I have an implementation in some branch of gnutls, but as I couldn't
make interop
check with anyone, it is left out.


More information about the Gnutls-devel mailing list