Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OpenSSL certificate revocation check in client program using OCSP stapling

I have an embedded C client program that securely connects to a server using OpenSSL. The server provides its certificate during the handshake and the client has to check the revocation status of this certificate. Currently I do this by using OCSP.

All of this works, but now I need to re-implement the client's revocation check using OCSP stapling (assuming the server will start providing this).

Currently I get the server certificate using X509 *cert = SSL_get_peer_certificate(ssl) to check the subjectAltName against my server's domain and get the authorityInfoAccess (for OCSP URI).

Assuming I have an SSL * ssl; and I successfully set everything up and connected via SSL_connect(ssl);, what do I do at this point to get at the OCSP stapling information and verify the certificate I just received? I can't find any sample code for how to actually implement this using the OpenSSL library.

like image 707
mikhail Avatar asked Mar 07 '12 19:03

mikhail


People also ask

How do I know if my stapling OCSP is working?

Under the Protocol details section you will see the OCSP stapling field which will indicate whether OCSP stapling is enabled on your server.

What is OCSP based revocation checking?

OCSP is used to check the revocation status of X509 certificates. OCSP provides revocation status on certificates in real time and is useful in time-sensitive situations such as bank transactions and stock trades.


1 Answers

There are a couple steps:

  1. Have the client send the status_request extension via SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp).

  2. Register a callback (and argument) to examine the OCSP response via SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb) and SSL_CTX_set_tlsext_status_arg(ctx, arg)

  3. Write the callback function. The one used by s_client demonstrates how to get at the response information:

    static int ocsp_resp_cb(SSL *s, void *arg)
    {
    const unsigned char *p;
    int len;
    OCSP_RESPONSE *rsp;
    len = SSL_get_tlsext_status_ocsp_resp(s, &p);
    BIO_puts(arg, "OCSP response: ");
    if (!p)
        {
        BIO_puts(arg, "no response sent\n");
        return 1;
        }
    rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
    if (!rsp)
        {
        BIO_puts(arg, "response parse error\n");
        BIO_dump_indent(arg, (char *)p, len, 4);
    return 0;
    }
    BIO_puts(arg, "\n======================================\n");
    OCSP_RESPONSE_print(arg, rsp, 0);
    BIO_puts(arg, "======================================\n");
    OCSP_RESPONSE_free(rsp);
    return 1;
    }
    
like image 123
Jumbogram Avatar answered Oct 31 '22 17:10

Jumbogram