[openssl-users] OCSP_sendreq_bio()
Jakob Bohm
jb-openssl at wisemo.com
Wed Oct 28 15:44:33 UTC 2015
On 27/10/2015 21:21, Walter H. wrote:
> On 26.10.2015 21:42, rosect190 at yahoo.com wrote:
>> Hi, I need some help on this call.
>>
>> I am building an OCSP client following guide in openssl and compile
>> the code in Cygwin environment. My openssl version is 1.0.1h.
>>
>> With HTTP based OCSP, the code works fine. But, with HTTPs, the code
>> gets stuck at the call to OCSP_sendreq_bio(). Further debugging shows
>> that OCSP_sendreq_nbio() does not return.
>>
>> Did I need to something extra to deal with HTTPs based connection?
>>
> OCSP must not be https ...
> the same with CRL download ...
Really, I thought that was only a recent cop out rule to
cater to clients with inferior SSL libraries that can't
handle the recursion.
Of cause one should not initiate an HTTPS connection to
a server to (directly or indirectly) validate the servers
certificate for another such connection, but I know no
inherent reason not to use HTTPS for CRL and OCSP access
as long as infinite recursion is avoided, preferably
through the choice of server certificates.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list