Skip to content

WIP: TLS1.3: added support for multiple OCSP staples v2

Nikos Mavrogiannopoulos requested to merge tmp-draft-ietf-tls-tls13-21-nmav-updated-ocsp into tmp-draft-ietf-tls-tls13-21

This patch set introduces support for multiple OCSP staples under TLS1.3.

That enhances gnutls_certificate_set_ocsp_status_request_file() to parse the response file and associate it with a certificate, introduces a new callback to retrieve more than one responses, --gnutls_certificate_set_ocsp_status_request_function3(), and gnutls_ocsp_status_request_get2() for application to read the responses.

That also changes the behavior in handling OCSP responses, and they are now parsed and cached in the credentials structure. That also allows gnutls to refuse serving expired, incorrect or staples which indicate revocation (not sure if the latter is a good idea).

That patch set also introduces gnutls_certificate_get_ocsp_expiration() which allows the calling server to obtain the time that the current set of OCSP responses expire (and thus schedule a reload).

Resolves #309 (closed)

Resolves #307 (closed)

Resolves #291 (closed)

Checklist

  • Code modified for feature
  • Test suite updated with functionality tests
  • Documentation updated

Reviewer's checklist:

  • There is a test suite reasonably covering new functionality or modificati
  • Function naming, parameters, return values, types, etc., are consistent a
  • This feature/change has adequate documentation added
  • No obvious mistakes in the code
Edited by Nikos Mavrogiannopoulos

Merge request reports