I have an embedded C client program that securely connects to a server using OpenSSL. The server provides its certificate during the handshake and the client has to check the revocation status of this certificate. Currently I do this by using OCSP.
All of this works, but now I need to re-implement the client's revocation check using OCSP stapling (assuming the server will start providing this).
Currently I get the server certificate using X509 *cert = SSL_get_peer_certificate(ssl)
to check the subjectAltName
against my server's domain and get the authorityInfoAccess
(for OCSP URI).
Assuming I have an SSL * ssl;
and I successfully set everything up and connected via SSL_connect(ssl);
, what do I do at this point to get at the OCSP stapling information and verify the certificate I just received? I can't find any sample code for how to actually implement this using the OpenSSL library.
Under the Protocol details section you will see the OCSP stapling field which will indicate whether OCSP stapling is enabled on your server.
OCSP is used to check the revocation status of X509 certificates. OCSP provides revocation status on certificates in real time and is useful in time-sensitive situations such as bank transactions and stock trades.
There are a couple steps:
Have the client send the status_request
extension via SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp)
.
Register a callback (and argument) to examine the OCSP response via SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb)
and SSL_CTX_set_tlsext_status_arg(ctx, arg)
Write the callback function. The one used by s_client
demonstrates how to get at the response information:
static int ocsp_resp_cb(SSL *s, void *arg)
{
const unsigned char *p;
int len;
OCSP_RESPONSE *rsp;
len = SSL_get_tlsext_status_ocsp_resp(s, &p);
BIO_puts(arg, "OCSP response: ");
if (!p)
{
BIO_puts(arg, "no response sent\n");
return 1;
}
rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
if (!rsp)
{
BIO_puts(arg, "response parse error\n");
BIO_dump_indent(arg, (char *)p, len, 4);
return 0;
}
BIO_puts(arg, "\n======================================\n");
OCSP_RESPONSE_print(arg, rsp, 0);
BIO_puts(arg, "======================================\n");
OCSP_RESPONSE_free(rsp);
return 1;
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With