curl-library
[WIP/RFC] Certificate Status Request (aka OCSP stapling)
Date: Mon, 16 Jun 2014 23:15:20 +0200
Hi,
I spent the afternoon fighting with OpenSSL and GnuTLS documentation trying to
add support for OCSP stapling to libcurl.
The result is a mostly-not-working-but-you-get-the-idea implementation for both
the OpenSSL and GnuTLS backends (I haven't even looked at NSS but it shouldn't
be hard).
The core of this is the new CURLOPT_SSL_VERIFYSTATUS which tells libcurl whether
to request and check the certificate status or not. This could also be used in
the future if someone decides to implement full-blown OCSP (e.g. if stapling
isn't available on the server do full OCSP, or something like that), or even to
allow the user to provide the OCSP response via other means, etc...
I've also added the new --cert-status option, which enables this functionality
for curl (it isn't enabled by default because most servers don't support this).
You can see my patches at [0] (in the branch "status_request").
Now the problems:
* in the OpenSSL backend, the call to OCSP_basic_verify() always fails for some
reason. I'm pretty sure I'm not using it correctly, but I don't know why...
obviously there's no documentation at all for that. Could someone with more
OpenSSL experience look into it?
* in the GnuTLS backend, well, I'm not sure whose fault it is but the parsing
of the OCSP response always fails (the gnutls_ocsp_resp_import() call, which
is also called by gnutls_ocsp_status_request_is_checked() internally, and I
guess that's why it fails too). It require GnuTLS 3.1.3 or higher btw.
I'm not well versed in TLS libraries so I may have done something very wrong,
but it's a start I guess. I'd appreciate comments and help.
Cheers
[0] https://github.com/ghedo/curl/commits/status_request
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
- application/pgp-signature attachment: Digital signature