[openssl-users] OCSP_sendreq_bio()

Walter H. Walter.H at mathemainzel.info
Wed Oct 28 16:36:18 UTC 2015


On 28.10.2015 16:44, Jakob Bohm wrote:
> On 27/10/2015 21:21, Walter H. wrote:
>> On 26.10.2015 21:42, rosect190 at yahoo.com wrote:
>>> Hi, I need some help on this call.
>>>
>>> I am building an OCSP client following guide in openssl and compile 
>>> the code in Cygwin environment. My openssl version is 1.0.1h.
>>>
>>> With HTTP based OCSP, the code works fine. But, with HTTPs, the code 
>>> gets stuck at the call to OCSP_sendreq_bio(). Further debugging 
>>> shows that OCSP_sendreq_nbio() does not return.
>>>
>>> Did I need to something extra to deal with HTTPs based connection?
>>>
>> OCSP must not be https ...
>> the same with CRL download ...
> Really, I thought that was only a recent cop out rule to
> cater to clients with inferior SSL libraries that can't
> handle the recursion.
both OCSP and CRLs are signed, and this is enough for validation,
there is no need of SSL;
and an infinite recursion would be implied because of
the need of validating these SSL-certificates the same way
as the origin SSL-certificate ...

but be aware the CRLs can be in an LDAP - done by bad CAs;
OCSP must be HTTP

Walter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151028/fb66f23c/attachment.bin>


More information about the openssl-users mailing list