cURL / Mailing Lists / curl-library / Single Mail


Re: OSCP Stapling?

From: Alessandro Ghedini <>
Date: Fri, 7 Nov 2014 14:20:12 +0100

On ven, nov 07, 2014 at 11:51:50 +0100, Daniel Stenberg wrote:
> Hi Alessandro,
> I realize you didn't get much feedback before when you posted about your
> OCSP Stapling work and I appologize for that, but let's try this again.
> How's the status on that now and can you post what you have so far here for
> us to see how we can take it forward?

I just rebased my patches on the latest curl.git, you can find them at [0]. I
can send them to the list if needed though.

The status is as follows:

* OpenSSL backend: mostly works, but it fails to verify the signature on the
  OCSP response. I suspect that this is caused by not having the whole
  certificate chain at the time of the verification but I don't know how to fix

* GnuTLS backend: should work *in theory*, however GnuTLS OCSP support seems
  broken and the OCSP verification always fails (this also happens when using
  "gnutls-cli --ocsp <host>", so it's not just a curl problem). Requires GnuTLS
  3.1.3 or higher.

* NSS backend: worked fine last time I checked, may need more testing though.

I also have yet to write the documentation for both the CURLOPT_SSL_VERIFYSTATUS
libcurl option and the --cert-status command-line argument, but I first wanted
to check whether anyone has alternative ideas.



List admin:

Received on 2014-11-07