[openssl-users] OCSP_sendreq_bio()

Michael Ströder michael at stroeder.com
Fri Oct 30 20:38:32 UTC 2015


Walter H. wrote:
> On 28.10.2015 16:44, Jakob Bohm wrote:
>> On 27/10/2015 21:21, Walter H. wrote:
>>> On 26.10.2015 21:42, rosect190 at yahoo.com wrote:
>>>> Hi, I need some help on this call.
>>>>
>>>> I am building an OCSP client following guide in openssl and compile the
>>>> code in Cygwin environment. My openssl version is 1.0.1h.
>>>>
>>>> With HTTP based OCSP, the code works fine. But, with HTTPs, the code gets
>>>> stuck at the call to OCSP_sendreq_bio(). Further debugging shows that
>>>> OCSP_sendreq_nbio() does not return.
>>>>
>>>> Did I need to something extra to deal with HTTPs based connection?
>>>>
>>> OCSP must not be https ...
>>> the same with CRL download ...
>> Really, I thought that was only a recent cop out rule to
>> cater to clients with inferior SSL libraries that can't
>> handle the recursion.
> both OCSP and CRLs are signed, and this is enough for validation,
> there is no need of SSL;

There are some privacy concerns with OCSP usage.
So using TLS to protect the traffic against sniffing would be good.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151030/633f7934/attachment-0001.bin>


More information about the openssl-users mailing list