William A. Rowe, Jr. wrote: > Dr Stephen Henson wrote: >> First comment to list in general: any comments on what needs to be done to >> get >> the OCSP stapling patch accepted? > > I had been under the impression, from reading the bug commentary too many > times, that it was not vetting the CA chain from root to cert. > > It seems I misunderstood and this patch is ready for backport. Please > correct us if there are any other changes required to bless this code as > 'production ready'/General Availability. >
I may have missed something here but the OCSP stapling code doesn't appear to be in trunk. The patch in: https://issues.apache.org/bugzilla/show_bug.cgi?id=43822 doesn't apply cleanly any more, though the changes needed to get it working are fairly trivial. I'm in the process of including an updated patch. Nitpick: along the way I noticed the ocsp code in ssl_util_ocsp.c was updated to support a configurable timeout (which was in the original stapling patch) but the comment: /* Inherit the default I/O timeout. */ has been retained which isn't true any more. Steve. -- Dr Stephen N. Henson. Senior Technical/Cryptography Advisor, Open Source Software Institute: www.oss-institute.org OpenSSL Core team: www.openssl.org