cURL / Mailing Lists / curl-library / Single Mail


[WIP/RFC] Certificate Status Request (aka OCSP stapling)

From: Alessandro Ghedini <>
Date: Mon, 16 Jun 2014 23:15:20 +0200


I spent the afternoon fighting with OpenSSL and GnuTLS documentation trying to
add support for OCSP stapling to libcurl.

The result is a mostly-not-working-but-you-get-the-idea implementation for both
the OpenSSL and GnuTLS backends (I haven't even looked at NSS but it shouldn't
be hard).

The core of this is the new CURLOPT_SSL_VERIFYSTATUS which tells libcurl whether
to request and check the certificate status or not. This could also be used in
the future if someone decides to implement full-blown OCSP (e.g. if stapling
isn't available on the server do full OCSP, or something like that), or even to
allow the user to provide the OCSP response via other means, etc...

I've also added the new --cert-status option, which enables this functionality
for curl (it isn't enabled by default because most servers don't support this).

You can see my patches at [0] (in the branch "status_request").

Now the problems:

* in the OpenSSL backend, the call to OCSP_basic_verify() always fails for some
  reason. I'm pretty sure I'm not using it correctly, but I don't know why...
  obviously there's no documentation at all for that. Could someone with more
  OpenSSL experience look into it?

* in the GnuTLS backend, well, I'm not sure whose fault it is but the parsing
  of the OCSP response always fails (the gnutls_ocsp_resp_import() call, which
  is also called by gnutls_ocsp_status_request_is_checked() internally, and I
  guess that's why it fails too). It require GnuTLS 3.1.3 or higher btw.

I'm not well versed in TLS libraries so I may have done something very wrong,
but it's a start I guess. I'd appreciate comments and help.



List admin:

Received on 2014-06-16