Of cause you shouldn't write your own OCSP code. OCSP is already part of
the OpenSSL library and the file apps/ocsp.c shows how to use it.
Alexander Konyagin's patch from 12 days ago doesn't seem to have been
reviewed or commented by anybody else, so I am not sure if it is because
he also posted it on a dev list, if it is so perfect even the top experts
had no comments, if they are still testing it or if they reject it, I
simply don't know at this time. Anyway, as his patch extends the OpenSSL
API, I wouldn't use it until it has been integrated and adapted for an
official OpenSSL release, as this ensures compatibility with future code
updates.
apps/ocsp.c is released code though, and the OpenSSL functions it calls
are official released API functions, but it doesn't hook itself into the
regular certificate verification, which seems to be what Alexander's patch
adds.
On 20-06-2012 17:19, JT Rosin wrote:
hi, Jakob! Though it may work, i personally don't think that it's a good
idea to implement ocsp code myself! Not only because I'm a lazy guy, but
mainly for practical reasons :-)
In google I found that some guy had already made a patch that brings
some kind of ocsp client functionality to openssl
(http://www.mail-archive.com/openssl-users@openssl.org/msg67721.html).
I'll check that one tomorrow!!
On Wed, 2012-06-20 at 16:04 +0200, Jakob Bohm wrote:
Look in the openssl source code in the "apps" directory. There you will
find the source code for each of the openssl command line subcommands
(including "openssl ocsp"). Use this as inspiration for how to do the
ocsp directly in your code.
For most of the openssl command line subcommands, the code in apps is
just a thin wrapper around some of the documented interface calls, with
most of the code in apps dealing with the command line options, loading
certificates from files and other extra stuff you probably will not need
if the stuff is already in memory and you only want to do one or two
things, not all the possible permutations of command line options.
On 6/20/2012 2:53 PM, JT Rosin wrote:
Any help on this??
On Mon, 2012-06-18 at 15:32 +0400, JT Rosin wrote:
Hello to everybody!!
I'm writing a client/server app with communication over SSL. Every setup
can be a server or a client so I think I could benefit from using ocsp
for validation purposes!
I'm very new to openssl but i found that i can use bundled command-line
`ocsp` application for checking certificates. Documentation says that I
need to call it with the remote certificate as argument.
I think I can get that certificate itself by calling
SSL_get_peer_certificate(), though i have completely no idea how to pass
the certificate to command-line app?
Thanks for your help!!
BRs, JT.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
