[gnutls-devel] [PATCH] OCSP check the whole cert chain

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Jan 19 15:33:47 CET 2015


On Sat, Jan 17, 2015 at 2:55 PM, Tim Rühsen <tim.ruehsen at gmx.de> wrote:
>> > (There's an RFC for stapling multiple certs in progress.) -  Matt
>> > Nordhoff"
>> > To me, this sounds reasonable. Shouldn't the ocsptool loop over the
>> > complete cert list and check each cert ? What do you think ?
>> Indeed, that would be the right thing to do. If there is a patch for
>> that I'll apply it.
> Hi Nikos,
> I made up a first patch to check the whole cert chain.
> Not sure what to do for e.g. www.google.com where the last cert in the chain
> is not verifiable via OCSP.

Thank you. I've applied a modified patch, where this is skipped. With
the updated patch, we check OCSP for the certificates we have
information to use. For the others, we simply cannot check them.

regards,
Nikos



More information about the Gnutls-devel mailing list