[openssl-users] OCSP_sendreq_bio()

Steve Marquess marquess at openssl.com
Wed Oct 28 16:27:21 UTC 2015


On 10/28/2015 11:44 AM, Jakob Bohm wrote:
> On 27/10/2015 21:21, Walter H. wrote:
>> ...
>>>
>> OCSP must not be https ...
>> the same with CRL download ...
> Really, I thought that was only a recent cop out rule to
> cater to clients with inferior SSL libraries that can't
> handle the recursion.
> 
> Of cause one should not initiate an HTTPS connection to
> a server to (directly or indirectly) validate the servers
> certificate for another such connection, but I know no
> inherent reason not to use HTTPS for CRL and OCSP access
> as long as infinite recursion is avoided, preferably
> through the choice of server certificates.

There are environments where https must be used for OCSP, due to policy
fiat and/or firewall restrictions.

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc


More information about the openssl-users mailing list