cURL / Mailing Lists / curl-library / Single Mail


Re: [PATCH v3] OCSP stapling for GnuTLS and NSS

From: Marc Hörsken <>
Date: Tue, 20 Jan 2015 00:07:55 +0100

> So, I just rebased and updated the OpenSSL patch [0]. Of course the original
> problem that openssl doesn't like non-trusted signer certificates (even if they
> are validated by a certificate in the trust store) persists.
> The work-around is to use a special flag OCSP_TRUSTOTHER which basically means
> that we can pass additional certificates to the OCSP verify function which would
> be considered as trusted. This means that no checks at all are performed on
> those certificates. Unfortunately OCSP_TRUSTOTHER doesn't always work for some
> weird OCSP responses (e.g. those from DigiCert/Cloudflare).
> The proper solution would be to get openssl fixed of course (other projects such
> as nginx seems to be affected by this as well) but that may take a lot of time.

Could you please elaborate a little bit on the problem and especially what do you mean by „non-trusted signer certificates“?

Which part of RFC 6960 [1] does OpenSSL not implement or violate?
I am especially referring to sections 2.6 and The later states the following: Authorized Responders

   The key that signs a certificate's status information need not be the
   same key that signed the certificate. It is necessary, however, to
   ensure that the entity signing this information is authorized to do
   so. Therefore, a certificate's issuer MUST do one of the following:

   - sign the OCSP responses itself, or

   - explicitly designate this authority to another entity

   OCSP signing delegation SHALL be designated by the inclusion of
   id-kp-OCSPSigning in an extended key usage certificate extension
   included in the OCSP response signer's certificate. This certificate
   MUST be issued directly by the CA that is identified in the request.

   The CA SHOULD use the same issuing key to issue a delegation
   certificate as that used to sign the certificate being checked for
   revocation. Systems relying on OCSP responses MUST recognize a
   delegation certificate as being issued by the CA that issued the
   certificate in question only if the delegation certificate and the
   certificate being checked for revocation were signed by the same key.

   Note: For backwards compatibility with RFC 2560, it is not
         prohibited to issue a certificate for an Authorized Responder
         using a different issuing key than the key used to issue the
         certificate being checked for revocation. However, such a
         practice is strongly discouraged, since clients are not
         required to recognize a responder with such a certificate as an
         Authorized Responder.

   id-kp-OCSPSigning OBJECT IDENTIFIER ::= {id-kp 9}

   Systems or applications that rely on OCSP responses MUST be capable
   of detecting and enforcing the use of the id-kp-OCSPSigning value as
   described above. They MAY provide a means of locally configuring one
   or more OCSP signing authorities and specifying the set of CAs for
   which each signing authority is trusted. They MUST reject the
   response if the certificate required to validate the signature on the
   response does not meet at least one of the following criteria:

   1. Matches a local configuration of OCSP signing authority for the
      certificate in question, or

   2. Is the certificate of the CA that issued the certificate in
      question, or

   3. Includes a value of id-kp-OCSPSigning in an extended key usage
      extension and is issued by the CA that issued the certificate in
      question as stated above.

   Additional acceptance or rejection criteria may apply to either the
   response itself or to the certificate used to validate the signature
   on the response.

In short, the criteria 2 and 3 are probably the ones that should be accepted by default, while criteria 1 needs to be configured with a special OCSP responder trust store.

Thanks in advance.

Best regards,

List admin:
Received on 2015-01-20