Walter.H at mathemainzel.info
Wed Oct 28 16:36:18 UTC 2015
On 28.10.2015 16:44, Jakob Bohm wrote:
> On 27/10/2015 21:21, Walter H. wrote:
>> On 26.10.2015 21:42, rosect190 at yahoo.com wrote:
>>> Hi, I need some help on this call.
>>> I am building an OCSP client following guide in openssl and compile
>>> the code in Cygwin environment. My openssl version is 1.0.1h.
>>> With HTTP based OCSP, the code works fine. But, with HTTPs, the code
>>> gets stuck at the call to OCSP_sendreq_bio(). Further debugging
>>> shows that OCSP_sendreq_nbio() does not return.
>>> Did I need to something extra to deal with HTTPs based connection?
>> OCSP must not be https ...
>> the same with CRL download ...
> Really, I thought that was only a recent cop out rule to
> cater to clients with inferior SSL libraries that can't
> handle the recursion.
both OCSP and CRLs are signed, and this is enough for validation,
there is no need of SSL;
and an infinite recursion would be implied because of
the need of validating these SSL-certificates the same way
as the origin SSL-certificate ...
but be aware the CRLs can be in an LDAP - done by bad CAs;
OCSP must be HTTP
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4312 bytes
Desc: S/MIME Cryptographic Signature
More information about the openssl-users