Stapled OCSP responses for intermediate certs

Akshath Hegde arhsagar at gmail.com
Thu Mar 2 11:55:48 UTC 2023


Hi,
I had few questions about OCSP stapling for intermediate certificates.
On the client side I'm adding  "certificate status request" extension to
ClientHello message. For server, Im using an apache httpd server which has
OCSP responder details configured in ssl module. THe negotiated TLS version
is 1.3

1)The server has a multi tier cert chain. But it seems to be sending the
OCSP response for only the end entity certificate. Apache documentation
seems to suggest this is expected and multi-stapling is not supported. Is
anyone aware of a http server that supports multi-stapling?

2)On the client side, I'm registering for the OCSP response callback with
SSL_CTX_set_tlsext_status_cb.
In case of a multi tiered cert chain and OCSP response for each cert, is
this callback called once for each response?, or only one time?
If its called only only one time, how are the responses accessed?
SSL_get_tlsext_status_ocsp_response -> seems to return only one OCSP
response.
And I haven't been able to try tis for the lack of multi-stapling support
in http server

3)The OCSP response callback seems to be called after the cert chain
verification callback has ended. Is there any reason for this?. The
authenticity of OCSP response is established by a different chain  (OCSP
response -> CA that signed cert), and doesn't need to wait for the server
end entity verification?. So instead of CRL, OCSP could have been used
during cert chain verification

Thanks
Akshath
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230302/b21163d0/attachment.htm>


More information about the openssl-users mailing list