[gnutls-help] full-chain ocsp stapling

Jeremy Harris jgh at wizmail.org
Sun Nov 10 21:45:21 CET 2019 

GnuTLS 3.6.8

I'm testing $subject using a 3-layer cert chain, and stapled ocsp
under TLS1.3 for which the middle item is non-valid.  The client
reports (using gnutls_ocsp_resp_print()) :-

20:23:20 18349 OCSP Response Information:
20:23:20 18349  Response Status: Successful
20:23:20 18349  Response Type: Basic OCSP Response
20:23:20 18349  Version: 1
20:23:20 18349  Responder ID: CN=clica CA rsa,O=example.com
20:23:20 18349  Produced At: Sun Nov 10 20:09:14 UTC 2019
20:23:20 18349  Responses:
20:23:20 18349          Certificate ID:
20:23:20 18349                  Hash Algorithm: SHA256
20:23:20 18349                  Issuer Name Hash:
5af082e51d62fe01fd706baebeb878db64e68f76e74a36f36d914297ddee24b8
20:23:20 18349                  Issuer Key Hash:
333db14364b98e78a33dd8a4fae8d8378ea9b0f5fbca97b25685aa0d32116091
20:23:20 18349                  Serial Number: 65
20:23:20 18349          Certificate Status: good
20:23:20 18349          This Update: Sun Nov 10 20:09:14 UTC 2019
20:23:20 18349          Next Update: Fri Nov 09 20:09:14 UTC 2029
20:23:20 18349          Certificate ID:
20:23:20 18349                  Hash Algorithm: SHA256
20:23:20 18349                  Issuer Name Hash:
bfa7275a566efd4be2df82dbd9d1290d470186f6ff2acd8c16659f342ab56109
20:23:20 18349                  Issuer Key Hash:
208f9d28c7c0bc914144dfa8c0be3d5b3bfcebb622c8a8dc27e865fc06ca0e12
20:23:20 18349                  Serial Number: 42
20:23:20 18349          Certificate Status: revoked
20:23:20 18349          Revocation time: Mon Feb 01 14:27:09 UTC 2010
20:23:20 18349          This Update: Sun Nov 10 20:09:14 UTC 2019
20:23:20 18349          Next Update: Fri Nov 09 20:09:14 UTC 2029
20:23:20 18349          Certificate ID:
20:23:20 18349                  Hash Algorithm: SHA256
20:23:20 18349                  Issuer Name Hash:
bfa7275a566efd4be2df82dbd9d1290d470186f6ff2acd8c16659f342ab56109
20:23:20 18349                  Issuer Key Hash:
208f9d28c7c0bc914144dfa8c0be3d5b3bfcebb622c8a8dc27e865fc06ca0e12
20:23:20 18349          Certificate Status: good
20:23:20 18349          This Update: Sun Nov 10 20:09:14 UTC 2019
20:23:20 18349          Next Update: Fri Nov 09 20:09:14 UTC 2029
20:23:20 18349  Extensions:
20:23:20 18349  Signature Algorithm: RSA-SHA256

but gnutls_ocsp_status_request_is_checked(state->session, 0) returns
nonzero (meaning "valid").

I'm not quite clear what level of validity is being described here.
Should it be checking that the OCSP response indicates non-revoked
certificates, for all cert-chain elements covered?  Or is it only
saying that the stapled information is well-constructed and signed
(meaning that I should be taking more actions to validate the
certs; if so, what)?

-- 
Thanks,
  Jeremy

More information about the Gnutls-help mailing list