full-chain ocsp stapling
jgh at wizmail.org
Mon Sep 30 13:49:44 UTC 2019
Looking at implementing the above, under TLSv1.3 and (at least
initially) server-side. I'm currently using
SSL_set_tlsext_status_ocsp_resp( a DER blob )
and the problem is: will this accept a
(DER-wrapped, basicresp-wrapped) stack of singleresp
where the stack has >1 element?
If so, and that is the preferred way to load such
a stapling, how can such a blob be constructed?
I have separate PEM files for each ocsp resp for
the certificate chain, currently. Converting
to DER and pulling out the singleresp is feasible;
it's building a multi-resp blob that looks hard.
Alternatively, can SSL_set_tlsext_status_ocsp_resp()
be called repeatedly, with distinct blobs for the
stapling chain elements? The manpage does not suggest it
so it seems unlikely.
Alternatively^2, is there some way to get such a blob from
a tool (openssl ocsp, or similar) ready built? For this
purpose, I am the CA.
More information about the openssl-users