cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [WIP/RFC] Certificate Status Request (aka OCSP stapling)

From: Alessandro Ghedini <alessandro_at_ghedini.me>
Date: Wed, 25 Jun 2014 00:01:12 +0200

On Mon, Jun 16, 2014 at 11:15:20PM +0200, Alessandro Ghedini wrote:
> * in the OpenSSL backend, the call to OCSP_basic_verify() always fails for some
> reason. I'm pretty sure I'm not using it correctly, but I don't know why...
> obviously there's no documentation at all for that. Could someone with more
> OpenSSL experience look into it?

To add a little more context, the errors I've been getting are either:

> error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error

for e.g. https://www.cloudflare.com, and:

> error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found

for e.g. http://imgur.com.

I suspect that this could be caused by an incomplete certificate chain or
something like that (the OCSP verification callback is called during
SSL_connect()).

Additionally, I also implemented the backend for NSS, though I could not
properly test it since I don't have libnsspem, or a proper nss database (I
always get "NSS error -8048 (SEC_ERROR_OCSP_INVALID_SIGNING_CERT)").

The repo is still https://github.com/ghedo/curl/tree/status_request

Cheers

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

Received on 2014-06-25