[gnutls-devel] Support for OCSP Must-staple ?

Jouni Malinen jkmalinen at gmail.com
Sat May 21 20:05:03 CEST 2016


On Fri, May 20, 2016 at 6:32 PM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> That attempt is on the ocsp2 branch at:
> https://gitlab.com/gnutls/gnutls/commits/ocsp2
>
> I don't remember how far it was gone, or whether it can apply on
> master, but I remember I didn't follow up because there were no other
> implementations of it, nor any plans for it. I can see it is still
> open at NSS and openssl. However, with the track OCSP stapling is
> taking, this will become something required in the future. So if there
> is someone to push for it and creates the required tooling (for an
> admin to agreegate ocsp responses) I'm all for it to include it.

For quite some time, I was hoping to get ocsp_multi support available
in one or more of the common TLS libraries to be able to use this in
wpa_supplicant and hostapd. I ended up implementing an experimental
version in the internal TLS implementation in hostap.git for both the
server and client side so that I can at least test this functionality
with WPA2 and EAP authentication. Since I also added support for using
GnuTLS with server side OCSP stapling, I'd hope it would be relatively
simple addition to get this running for interop testing (hostapd with
GnuTLS as the EAP server and wpa_supplicant with the internal TLS
client implementation as the EAP peer) if the GnuTLS implementation is
expected to be in more or less functional state for OCSP stapling with
the RFC 6961 extensions. I have fully automated test cases for that
ready as well.

- Jouni



More information about the Gnutls-devel mailing list