You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
WolfSSL built with --enable-ocsp --enable-ocspstapling --enable-ocspstapling2
Hello!
I have a TLS client application that uses OCSP stapling only (the client will not send OCSP requests to OCSP responder) to get the revocation status of all the certificates (intermediates + server's certificate) in the chain from the TLS server. If a stapled response is missing from the Certificate Status message, I would like to abort the TLS handshake.
I have enabled OCSP stapling V2 (for TLS 1.2) so the client will request multi-stapling and may receive the stapled responses to intermediates as well.
I have also called wolfSSL_CTX_EnableOCSPMustStaple(m_ctx) but looking at the code in SanityCheckMsgReceived function, this will only force the reception of the Certificate Status message, but this message may still be missing some responses.
My questions are:
Does WolfSSL provide a way for the TLS client to detect, during the TLS handshake, that a stapled response for either the intermediates or the server's certificate are missing from the Certificate Status message, so I can abort the TLS handshake in such case?
Alternatively, does WolfSSL provide a way to read the stapled responses in the Certificate Status message (inside the VerifyCallback for example) so I can examine them and check if there are missing staples and abort the TLS handshake accordingly?
Does WolfSSL support multi-stapling with TLS 1.3 (in the CertificateEntry structure of the Certificate message)?
Looks like all the OCSP stapling logic and checking are done internally by WolfSSL in wolfSSL_connect function and that the stapled responses are not exposed to the user by WolfSSL's API.
Thank you!
The text was updated successfully, but these errors were encountered:
Q1, Q2 : I don't think wolfSSL provides an interface or any way to access Certificate Status Message raw data as you mentioned. Let me double-check.
Q3 : PR#7766 is supposed to support this.
Version
5.7.2
Description
WolfSSL built with
--enable-ocsp --enable-ocspstapling --enable-ocspstapling2
Hello!
I have a TLS client application that uses OCSP stapling only (the client will not send OCSP requests to OCSP responder) to get the revocation status of all the certificates (intermediates + server's certificate) in the chain from the TLS server. If a stapled response is missing from the Certificate Status message, I would like to abort the TLS handshake.
I have enabled OCSP stapling V2 (for TLS 1.2) so the client will request multi-stapling and may receive the stapled responses to intermediates as well.
How I enabled OCSP stapling V2:
I have also called
wolfSSL_CTX_EnableOCSPMustStaple(m_ctx)
but looking at the code inSanityCheckMsgReceived
function, this will only force the reception of the Certificate Status message, but this message may still be missing some responses.My questions are:
Looks like all the OCSP stapling logic and checking are done internally by WolfSSL in
wolfSSL_connect
function and that the stapled responses are not exposed to the user by WolfSSL's API.Thank you!
The text was updated successfully, but these errors were encountered: