[gnutls-devel] OCSP / gnutls_ocsp_status_request_is_checked()

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Jan 19 18:46:44 CET 2015


On Mon, 2015-01-19 at 17:06 +0100, Tim Ruehsen wrote:

> Sounds like a hen/egg problem to me.
> Since many web sites nowadays use intermediate CA certs, multi-stapling will 
> have the same benefits as the introduction of OCSP stapling.
> I don't quite understand "will require some tool support". How can I help ?
> Let gnutls-cli use the ocsp2 code (e.g. new option --ocsp-multi) ?

I see that there are files missing from my branch, I hope that I still
have them somewhere. However, my concern when I was developing it, was
that there is no standard format to store multiple ocsp responses. So I
made a quick hack with a binary format which will require minimal
parsing by the sending server. However, ocsptool doesn't generate that
format, nor there is a way to easily combine multiple responses into
that. That's what is currently missing.

The format is the same as OCSPResponseList in the wire of rfc6961, plus
a header GNUTLS_OCSP_MULTI_MAGIC.

     opaque OCSPResponse<0..2^24-1>; 
#each response is prefixed with an 24-bit integer showing length

     struct {
       OCSPResponse ocsp_response_list<1..2^24-1>;
     } OCSPResponseList; 
# the list has a 24-bit integer showing it's length in bytes, and
consists of multiple OCSPResponse structs.

This was the missing part.

regards,
Nikos





More information about the Gnutls-devel mailing list