[gnutls-help] full-chain ocsp stapling
Jeremy Harris
jgh at wizmail.org
Sun Nov 24 18:43:48 CET 2019
On 10/11/2019 20:45, Jeremy Harris wrote:
> GnuTLS 3.6.8
>
> I'm testing $subject using a 3-layer cert chain, and stapled ocsp
> under TLS1.3 for which the middle item is non-valid.
...
> but gnutls_ocsp_status_request_is_checked(state->session, 0) returns
> nonzero (meaning "valid").
>
> I'm not quite clear what level of validity is being described here.
> Should it be checking that the OCSP response indicates non-revoked
> certificates, for all cert-chain elements covered? Or is it only
> saying that the stapled information is well-constructed and signed
> (meaning that I should be taking more actions to validate the
> certs; if so, what)?
No answers on this?
--
Cheers,
Jeremy
More information about the Gnutls-help
mailing list