[openssl-users] Question on necessity of SSL_CTX_set_client_CA_list

Jan Just Keijser janjust at nikhef.nl
Wed Dec 5 09:49:07 UTC 2018


On 03/12/18 21:40, Viktor Dukhovni wrote:
>> On Dec 3, 2018, at 3:35 PM, Charles Mills <charlesm at mcn.org> wrote:
>> OCSP and OCSP stapling are currently higher on my wish list than this.
> Good luck with OCSP, the documentation could definitely be better, and
> various projects get it wrong.  IIRC curl gets OCSP right, so you
> could look there for example code, some other projects go through the
> motions, but don't always achieve a robust result.
> [ FWIW, I don't care much for OCSP, it's often not required, so it is
>    then not clear what security properties it provides. ]

the only reason to use OCSP I currently have is in Firefox:  if you turn 
off "Query OCSP responder servers" in Firefox then EV certificates will 
no longer show up with their owner/domain name. Now the question is:   
does Firefox get OCSP "right" ;) ?


JJK / Jan Just Keijser

More information about the openssl-users mailing list