On ven, nov 07, 2014 at 11:51:50 +0100, Daniel Stenberg wrote:
> Hi Alessandro,
>
> I realize you didn't get much feedback before when you posted about your
> OCSP Stapling work and I appologize for that, but let's try this again.
>
> How's the status on that now and can you post what you have so far here for
> us to see how we can take it forward?

I just rebased my patches on the latest curl.git, you can find them at [0]. I
can send them to the list if needed though.

The status is as follows:

* OpenSSL backend: mostly works, but it fails to verify the signature on the
  OCSP response. I suspect that this is caused by not having the whole
  certificate chain at the time of the verification but I don't know how to fix
  this.

* GnuTLS backend: should work *in theory*, however GnuTLS OCSP support seems
  broken and the OCSP verification always fails (this also happens when using
  "gnutls-cli --ocsp <host>", so it's not just a curl problem). Requires GnuTLS
  3.1.3 or higher.

* NSS backend: worked fine last time I checked, may need more testing though.

I also have yet to write the documentation for both the CURLOPT_SSL_VERIFYSTATUS
libcurl option and the --cert-status command-line argument, but I first wanted
to check whether anyone has alternative ideas.

Cheers

[0] https://github.com/ghedo/curl/tree/status_request

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html