[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH] OCSP check the whole cert chain
From: |
Tim Rühsen |
Subject: |
[PATCH] OCSP check the whole cert chain |
Date: |
Sat, 17 Jan 2015 14:55:24 +0100 |
User-agent: |
KMail/4.14.2 (Linux/3.16.0-4-amd64; KDE/4.14.2; x86_64; ; ) |
Am Donnerstag, 15. Januar 2015, 16:53:22 schrieb Nikos Mavrogiannopoulos:
> On Thu, Jan 15, 2015 at 4:18 PM, Tim Ruehsen <address@hidden> wrote:
> > Wow Nikos, that was fast ! Thank you.
> > I'll try it out soon.
> > Just a follow-up question regarding OCSP.
> > Looking at
> > http://security.stackexchange.com/questions/56239/secure-connection-faile
> > d-ocsp, there is a comment:
> >
> > "By the way, OCSP stapling can only staple info for one certificate. The
> > browser will still have to contact your intermediate certificates' OCSP
> > servers unless you've recently visited another website using the same
> > ones.
> > (There's an RFC for stapling multiple certs in progress.) - Matt
> > Nordhoff"
> > To me, this sounds reasonable. Shouldn't the ocsptool loop over the
> > complete cert list and check each cert ? What do you think ?
>
> Indeed, that would be the right thing to do. If there is a patch for
> that I'll apply it.
Hi Nikos,
I made up a first patch to check the whole cert chain.
Not sure what to do for e.g. www.google.com where the last cert in the chain
is not verifiable via OCSP.
Please feel free to amend anything you like.
Tim
0001-OCSP-check-the-whole-cert-chain.patch
Description: Text Data
signature.asc
Description: This is a digitally signed message part.
- [PATCH] OCSP check the whole cert chain,
Tim Rühsen <=