OCSP

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu May 8 07:27:21 PDT 2014


On Thu, 2014-05-08 at 14:38 +0100, David Woodhouse wrote:
> Should OpenConnect be doing OCSP? There's not a lot of point in people
> revoking all their certs after Heartbleed, if clients aren't actually
> *checking*, right?
> I think we probably should, but.... it's going to make me sad, isn't it?
> I'm going to have to write hundreds of lines of code to do stuff that I
> might naïvely have hoped would have been happening for me automatically
> before I even thought about it?

There are two ways to receive the OCSP response. One is through the TLS
handshake (ocserv for example can be setup to send a fresh OCSP server
response to openconnect). In that case openconnect (with gnutls - no
idea about openssl - although I'd expect the same) will automatically
check this OCSP response.

The other is during the handshake to connect to the OCSP server that you
get reading an X.509 extension in the certificate, issue a request and
verify the reply. You can see an example that uses libcurl to issue a
POST request and retrieve the answer at:
http://www.gnutls.org/manual/gnutls.html#OCSP-example

I do think however that key pinning (i.e., avoiding all PKI altogether,
similar to my previous patch), is quite better than any of that.

regards,
Nikos





More information about the openconnect-devel mailing list