[gnutls-devel] [PATCH] OCSP check the whole cert chain

Tim Rühsen tim.ruehsen at gmx.de
Sat Jan 17 14:55:24 CET 2015


Am Donnerstag, 15. Januar 2015, 16:53:22 schrieb Nikos Mavrogiannopoulos:
> On Thu, Jan 15, 2015 at 4:18 PM, Tim Ruehsen <tim.ruehsen at gmx.de> wrote:
> > Wow Nikos, that was fast ! Thank you.
> > I'll try it out soon.
> > Just a follow-up question regarding OCSP.
> > Looking at
> > http://security.stackexchange.com/questions/56239/secure-connection-faile
> > d-ocsp, there is a comment:
> > 
> > "By the way, OCSP stapling can only staple info for one certificate. The
> > browser will still have to contact your intermediate certificates' OCSP
> > servers unless you've recently visited another website using the same
> > ones.
> > (There's an RFC for stapling multiple certs in progress.) -  Matt
> > Nordhoff"
> > To me, this sounds reasonable. Shouldn't the ocsptool loop over the
> > complete cert list and check each cert ? What do you think ?
> 
> Indeed, that would be the right thing to do. If there is a patch for
> that I'll apply it.

Hi Nikos,

I made up a first patch to check the whole cert chain.

Not sure what to do for e.g. www.google.com where the last cert in the chain 
is not verifiable via OCSP.

Please feel free to amend anything you like.

Tim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-OCSP-check-the-whole-cert-chain.patch
Type: text/x-patch
Size: 5070 bytes
Desc: not available
URL: </pipermail/attachments/20150117/4f419e0e/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20150117/4f419e0e/attachment-0001.sig>


More information about the Gnutls-devel mailing list