cURL / Mailing Lists / curl-library / Single Mail


Re: [WIP/RFC] Certificate Status Request (aka OCSP stapling)

From: Alessandro Ghedini <>
Date: Wed, 25 Jun 2014 00:01:12 +0200

On Mon, Jun 16, 2014 at 11:15:20PM +0200, Alessandro Ghedini wrote:
> * in the OpenSSL backend, the call to OCSP_basic_verify() always fails for some
> reason. I'm pretty sure I'm not using it correctly, but I don't know why...
> obviously there's no documentation at all for that. Could someone with more
> OpenSSL experience look into it?

To add a little more context, the errors I've been getting are either:

> error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error

for e.g., and:

> error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found

for e.g.

I suspect that this could be caused by an incomplete certificate chain or
something like that (the OCSP verification callback is called during

Additionally, I also implemented the backend for NSS, though I could not
properly test it since I don't have libnsspem, or a proper nss database (I
always get "NSS error -8048 (SEC_ERROR_OCSP_INVALID_SIGNING_CERT)").

The repo is still


List admin:

Received on 2014-06-25