Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

OpenSSL certificate revocation check in client program using OCSP stapling

Tags:

c

certificate

ssl

openssl

ocsp

I have an embedded C client program that securely connects to a server using OpenSSL. The server provides its certificate during the handshake and the client has to check the revocation status of this certificate. Currently I do this by using OCSP.

All of this works, but now I need to re-implement the client's revocation check using OCSP stapling (assuming the server will start providing this).

Currently I get the server certificate using X509 *cert = SSL_get_peer_certificate(ssl) to check the subjectAltName against my server's domain and get the authorityInfoAccess (for OCSP URI).

Assuming I have an SSL * ssl; and I successfully set everything up and connected via SSL_connect(ssl);, what do I do at this point to get at the OCSP stapling information and verify the certificate I just received? I can't find any sample code for how to actually implement this using the OpenSSL library.

like image 707
mikhail Avatar asked Mar 07 '12 19:03

mikhail

People also ask

How do I know if my stapling OCSP is working?

Under the Protocol details section you will see the OCSP stapling field which will indicate whether OCSP stapling is enabled on your server.

What is OCSP based revocation checking?

OCSP is used to check the revocation status of X509 certificates. OCSP provides revocation status on certificates in real time and is useful in time-sensitive situations such as bank transactions and stock trades.

1 Answers

There are a couple steps:

  1. Have the client send the status_request extension via SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp).

  2. Register a callback (and argument) to examine the OCSP response via SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb) and SSL_CTX_set_tlsext_status_arg(ctx, arg)

  3. Write the callback function. The one used by s_client demonstrates how to get at the response information:

    static int ocsp_resp_cb(SSL *s, void *arg)
{
const unsigned char *p;
int len;
OCSP_RESPONSE *rsp;
len = SSL_get_tlsext_status_ocsp_resp(s, &p);
BIO_puts(arg, "OCSP response: ");
if (!p)
    {
    BIO_puts(arg, "no response sent\n");
    return 1;
    }
rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
if (!rsp)
    {
    BIO_puts(arg, "response parse error\n");
    BIO_dump_indent(arg, (char *)p, len, 4);
return 0;
}
BIO_puts(arg, "\n======================================\n");
OCSP_RESPONSE_print(arg, rsp, 0);
BIO_puts(arg, "======================================\n");
OCSP_RESPONSE_free(rsp);
return 1;
}
like image 123
Jumbogram Avatar answered Oct 31 '22 17:10

Jumbogram
Sign in to Comment

Related questions

How to get execution time using msp430?
detecting bind mounts on linux
Does the Python 3 interpreter leak memory when embedded?
struct alignment
User-defined structs with a MATLAB mex function
How to manage memory alignments and generic pointer arithmetics in a portable way in C?
How do I find segmentation fault from multiple files using GDB
No warning or error indication when variable defined as static but declared as extern
How do you share a constant array of strings between files?
traversing C string: get the last word of a string
How can I prove that fread calls ReadFile and fopen calls CreateFile
New to C programming on linux, stuck at typecasting
malloc pointer to array
Euler 160 : Find the non trivial 5 digits of the factorial
Expected project/directory structure for Automake?
why ruby scanf is so slow?
Send file writes to in-memory buffer (fopen something, but write to buffer, not disk)
How can I inspect a static library to see if the debug symbols are being exported?
What is the difference between devm_kzalloc() and kzalloc() in linux driver programming
The meaning of period in ALSA

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!