curl-library
Re: [WIP/RFC] Certificate Status Request (aka OCSP stapling)
Date: Wed, 25 Jun 2014 00:01:12 +0200
On Mon, Jun 16, 2014 at 11:15:20PM +0200, Alessandro Ghedini wrote:
> * in the OpenSSL backend, the call to OCSP_basic_verify() always fails for some
> reason. I'm pretty sure I'm not using it correctly, but I don't know why...
> obviously there's no documentation at all for that. Could someone with more
> OpenSSL experience look into it?
To add a little more context, the errors I've been getting are either:
> error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error
for e.g. https://www.cloudflare.com, and:
> error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found
for e.g. http://imgur.com.
I suspect that this could be caused by an incomplete certificate chain or
something like that (the OCSP verification callback is called during
SSL_connect()).
Additionally, I also implemented the backend for NSS, though I could not
properly test it since I don't have libnsspem, or a proper nss database (I
always get "NSS error -8048 (SEC_ERROR_OCSP_INVALID_SIGNING_CERT)").
The repo is still https://github.com/ghedo/curl/tree/status_request
Cheers
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
- application/pgp-signature attachment: Digital signature