[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] OCSP check the whole cert chain
From: |
Tim Ruehsen |
Subject: |
Re: [PATCH] OCSP check the whole cert chain |
Date: |
Mon, 02 Feb 2015 16:27:11 +0100 |
User-agent: |
KMail/4.14.2 (Linux/3.16.0-4-amd64; KDE/4.14.2; x86_64; ; ) |
On Monday 19 January 2015 15:33:47 Nikos Mavrogiannopoulos wrote:
> On Sat, Jan 17, 2015 at 2:55 PM, Tim Rühsen <address@hidden> wrote:
> >> > (There's an RFC for stapling multiple certs in progress.) - Matt
> >> > Nordhoff"
> >> > To me, this sounds reasonable. Shouldn't the ocsptool loop over the
> >> > complete cert list and check each cert ? What do you think ?
> >>
> >> Indeed, that would be the right thing to do. If there is a patch for
> >> that I'll apply it.
> >
> > Hi Nikos,
> > I made up a first patch to check the whole cert chain.
> > Not sure what to do for e.g. www.google.com where the last cert in the
> > chain is not verifiable via OCSP.
>
> Thank you. I've applied a modified patch, where this is skipped. With
> the updated patch, we check OCSP for the certificates we have
> information to use. For the others, we simply cannot check them.
Hi Nikos,
please have a look at src/cli.c/cert_verify_ocsp().
You changed the last line in this function in a way, that if there are revoked
certs in the chain but at least one not-revoked cert, the function returns
'ok'. Which it should not and which it did not in my patch.
Regards, Tim
signature.asc
Description: This is a digitally signed message part.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [PATCH] OCSP check the whole cert chain,
Tim Ruehsen <=