Re: [PATCH] OCSP check the whole cert chain

gnutls-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] OCSP check the whole cert chain

From:	Nikos Mavrogiannopoulos
Subject:	Re: [PATCH] OCSP check the whole cert chain
Date:	Mon, 19 Jan 2015 15:33:47 +0100

On Sat, Jan 17, 2015 at 2:55 PM, Tim Rühsen <address@hidden> wrote:
>> > (There's an RFC for stapling multiple certs in progress.) -  Matt
>> > Nordhoff"
>> > To me, this sounds reasonable. Shouldn't the ocsptool loop over the
>> > complete cert list and check each cert ? What do you think ?
>> Indeed, that would be the right thing to do. If there is a patch for
>> that I'll apply it.
> Hi Nikos,
> I made up a first patch to check the whole cert chain.
> Not sure what to do for e.g. www.google.com where the last cert in the chain
> is not verifiable via OCSP.

Thank you. I've applied a modified patch, where this is skipped. With
the updated patch, we check OCSP for the certificates we have
information to use. For the others, we simply cannot check them.

regards,
Nikos

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH] OCSP check the whole cert chain, Tim Rühsen, 2015/01/17
- Re: [PATCH] OCSP check the whole cert chain, Nikos Mavrogiannopoulos <=

Prev by Date: [PATCH] OCSP check the whole cert chain
Previous by thread: [PATCH] OCSP check the whole cert chain
Index(es):
- Date
- Thread