full-chain ocsp stapling
matt at openssl.org
Mon Sep 30 16:02:59 UTC 2019
On 30/09/2019 14:49, Jeremy Harris wrote:
> Looking at implementing the above, under TLSv1.3 and (at least
> initially) server-side. I'm currently using
> SSL_set_tlsext_status_ocsp_resp( a DER blob )
> and the problem is: will this accept a
> (DER-wrapped, basicresp-wrapped) stack of singleresp
> where the stack has >1 element?
It's an OCSPResponse object (see RFC2560) - represented by the OCSP_RESPONSE
type in OpenSSL. That can itself wrap a BasicOCSPResponse which can contain
> If so, and that is the preferred way to load such
> a stapling, how can such a blob be constructed?
If you want to construct it from scratch you might want to take a look at how
the ocsp app does it:
> I have separate PEM files for each ocsp resp for
> the certificate chain, currently. Converting
> to DER and pulling out the singleresp is feasible;
> it's building a multi-resp blob that looks hard.
> Alternatively, can SSL_set_tlsext_status_ocsp_resp()
> be called repeatedly, with distinct blobs for the
> stapling chain elements? The manpage does not suggest it
> so it seems unlikely.
No, this isn't possible.
> Alternatively^2, is there some way to get such a blob from
> a tool (openssl ocsp, or similar) ready built? For this
> purpose, I am the CA.
Yes, you can do this. For example see the "respout" option in the ocsp command.
>From the examples in the ocsp man page:
Send a query to an OCSP responder with URL http://ocsp.myhost.com/ save the
response to a file, print it out in text form, and verify the response:
openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \
-url http://ocsp.myhost.com/ -resp_text -respout resp.der
Read in an OCSP response and print out text form:
openssl ocsp -respin resp.der -text -noverify
More information about the openssl-users