[gnutls-devel] Interaction between TLS session resumption and the OCSP must-staple certificate extension

Tim Kosse tim.kosse at filezilla-project.org
Wed Jun 28 09:28:35 CEST 2017


On 2017-06-27 09:13, Ander Juaristi wrote:> what happens if the>
certificate has been revoked in the time span between the initial
session> establishment and the later resumption?> > The client can check
that by sending a "normal" OCSP status request, but would> lose the
benefit of stapled OCSP?

It's not much of a deal. On a non-resumed handshake the server can still
use the revoked certificate for a while if it keeps stapling the old
OCSP response until it expires.


More information about the Gnutls-devel mailing list