Re: Add libtls functionality for OCSP, and OCSP stapling support

kinichiro inoguchi Wed, 06 Jul 2016 04:31:06 -0700

Hi, I have 2 questions about this implementation.

1) Can the OCSP client put multiple certificates to check in the request ?
   like this.
----------------------------------------------------------------
$ openssl ocsp -reqin ocsp_req.der -req_text
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 3429CF3BC59A76F61C3296E597B1F9D5F4A52B3A
          Issuer Key Hash: 68DBFBB578936A6704433C981F7ECE61819838C7
          Serial Number: 03
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 3429CF3BC59A76F61C3296E597B1F9D5F4A52B3A
          Issuer Key Hash: 68DBFBB578936A6704433C981F7ECE61819838C7
          Serial Number: D0F00ED53778C7C5
    Request Extensions:
        OCSP Nonce:
            04104C65A6FA1D4839916C3B8C18A4EF2E5D
----------------------------------------------------------------


2) Is it available signing to OCSP request by client ?
   I indicate this https://tools.ietf.org/html/rfc6960#section-4.1.2
   "The requestor MAY choose to sign the OCSP request."

These 2 functionality might NOT need when we're doing OCSP stapling.
(server cert to verify by OCSP stapling will be always single ...)

Best regards,

Kinichiro Inoguchi

Re: Add libtls functionality for OCSP, and OCSP stapling support

Reply via email to