[openssl-users] How can I sstart openssl ocsp in secure mode using TLS/SSL

Jakob Bohm jb-openssl at wisemo.com
Tue Sep 26 13:22:13 UTC 2017

On 26/09/2017 14:31, Richard Moore wrote:
> On 26 September 2017 at 02:36, Kyle Hamilton <aerowolf at gmail.com 
> <mailto:aerowolf at gmail.com>> wrote:
>     On Fri, Sep 22, 2017 at 9:32 AM, Richard Moore
>     <richmoore44 at gmail.com <mailto:richmoore44 at gmail.com>> wrote:
>     >
>     > It's also worth pointing out that CAs are banned from running
>     OCSP servers over HTTPS anyway and it isn't needed since the
>     responses are already signed - http is fine.
>     That argument fails when you consider that some people want the
>     details of who they're talking to or asking about to be confidential,
>     not merely authentic.
> ​That doesn't change the fact it's banned.​
But ONLY for CAB/F regulated public CAs.
>     I'm a believer in the idea that SNI and the Certificate messages
>     should happen under an ephemeral DH or ephemeral ECDH cover.  Others
>     fear-monger to say "maybe they shouldn't".
> ​There are a lot of other things that would also need addressing to 
> make it secret /who/ you're talking to. ​It's not something https 
> guarantees right now. If you'd like it to that would be a whole other 
> discussion.
However wiretapping a few central non-https OCSP responders is one
of the few attacks that will reveal this without wiretapping the
actual connection.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list