[openssl-users] OCSP_sendreq_bio()

Jakob Bohm jb-openssl at wisemo.com
Wed Oct 28 15:44:33 UTC 2015

On 27/10/2015 21:21, Walter H. wrote:
> On 26.10.2015 21:42, rosect190 at yahoo.com wrote:
>> Hi, I need some help on this call.
>> I am building an OCSP client following guide in openssl and compile 
>> the code in Cygwin environment. My openssl version is 1.0.1h.
>> With HTTP based OCSP, the code works fine. But, with HTTPs, the code 
>> gets stuck at the call to OCSP_sendreq_bio(). Further debugging shows 
>> that OCSP_sendreq_nbio() does not return.
>> Did I need to something extra to deal with HTTPs based connection?
> OCSP must not be https ...
> the same with CRL download ...
Really, I thought that was only a recent cop out rule to
cater to clients with inferior SSL libraries that can't
handle the recursion.

Of cause one should not initiate an HTTPS connection to
a server to (directly or indirectly) validate the servers
certificate for another such connection, but I know no
inherent reason not to use HTTPS for CRL and OCSP access
as long as infinite recursion is avoided, preferably
through the choice of server certificates.


Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list