[openssl-users] Question on necessity of SSL_CTX_set_client_CA_list

Viktor Dukhovni openssl-users at dukhovni.org
Wed Dec 5 16:59:15 UTC 2018

> On Dec 5, 2018, at 4:49 AM, Jan Just Keijser <janjust at nikhef.nl> wrote:
> The only reason to use OCSP I currently have is in Firefox:  if you turn off
> "Query OCSP responder servers" in Firefox then EV certificates will no longer
> show up with their owner/domain name.

IIRC Apple's Safari is ending support for EV, and some say that EV
has failed, and are not sorry to see it go.

> Now the question is:   does Firefox get OCSP "right" ;) ?

Very likely yes.  The Firefox TLS stack is maintained by experts.
[ Also, FWIW, Firefox uses the "nss" library, not OpenSSL. ]


More information about the openssl-users mailing list