[openssl-users] Question on necessity of SSL_CTX_set_client_CA_list
Jan Just Keijser
janjust at nikhef.nl
Wed Dec 5 09:49:07 UTC 2018
Hi,
On 03/12/18 21:40, Viktor Dukhovni wrote:
>> On Dec 3, 2018, at 3:35 PM, Charles Mills <charlesm at mcn.org> wrote:
>>
>> OCSP and OCSP stapling are currently higher on my wish list than this.
> Good luck with OCSP, the documentation could definitely be better, and
> various projects get it wrong. IIRC curl gets OCSP right, so you
> could look there for example code, some other projects go through the
> motions, but don't always achieve a robust result.
>
> [ FWIW, I don't care much for OCSP, it's often not required, so it is
> then not clear what security properties it provides. ]
the only reason to use OCSP I currently have is in Firefox: if you turn
off "Query OCSP responder servers" in Firefox then EV certificates will
no longer show up with their owner/domain name. Now the question is:
does Firefox get OCSP "right" ;) ?
cheers,
JJK / Jan Just Keijser
More information about the openssl-users
mailing list