Next: , Previous: , Up: More on certificate authentication   [Contents][Index]

4.2.4 OCSP stapling

To avoid applications contacting the OCSP server directly, TLS servers can provide a "stapled" OCSP response in the TLS handshake. That way the client application needs to do nothing more. GnuTLS will automatically consider the stapled OCSP response during the TLS certificate verification (see gnutls_certificate_verify_peers2). The stapled response can be obtained using gnutls_ocsp_status_request_get.

In addition, since GnuTLS 3.5.1 the client will consider the [RFC7633] OCSP-Must-staple certificate extension, and will consider it while checking for stapled OCSP responses. If the extension is present and no OCSP staple is found the certificate verification will fail and the status code GNUTLS_CERT_MISSING_OCSP_STATUS will returned from the verification function.

GnuTLS servers can provide this response to their clients using the following functions.

void gnutls_certificate_set_ocsp_status_request_function (gnutls_certificate_credentials_t sc, gnutls_status_request_ocsp_func ocsp_func, void * ptr)
int gnutls_certificate_set_ocsp_status_request_file (gnutls_certificate_credentials_t sc, const char * response_file, unsigned idx)
int gnutls_ocsp_status_request_is_checked (gnutls_session_t session, unsigned int flags)

The simplest approach is for a server to provide the OCSP server’s response using the gnutls_certificate_set_ocsp_status_request_file. The response may be updated periodically using the following command (see also ocsptool Invocation).

ocsptool --ask --load-cert server_cert.pem --load-issuer the_issuer.pem
         --load-signer the_issuer.pem --outfile ocsp.response