[gnutls-devel] Interaction between TLS session resumption and the OCSP must-staple certificate extension

Tim Kosse tim.kosse at filezilla-project.org
Tue Jun 27 20:07:26 CEST 2017


On 2017-06-27 17:22, TJ Saunders wrote:
> If we are to ignore the ClientHello extensions for a resumed session,
> then we would not send the stapled OCSP response.  The RFC 6066 Section
> 1.1 text, in my reading, says that the ServerHello emitted by the TLS
> server, for a resumed session, MUST NOT contain any of the TLS
> extensions -- and this would include the stapled OCSP response.  That
> is, the ServerHello of the resumed session must be different; it is not
> described as being a "replay" of the original ServerHello.

The stapled OCSP reponse is sent in a separate CertificateStatus
handshake packet, it is not part even part of the ServerHello.


More information about the Gnutls-devel mailing list