On 11/10/2019 10:10, Jeremy Harris wrote:
> On 11/10/2019 09:57, Matt Caswell wrote:
>> OpenSSL does not currently support that. You can only place a status response
>> after the first certificate.
>>
>> Matt
>
>
> That's why I asked:
>
>>> Are both layouts of the TLS1.3 Certificates record v
On 11/10/2019 09:57, Matt Caswell wrote:
> OpenSSL does not currently support that. You can only place a status response
> after the first certificate.
>
> Matt
That's why I asked:
>> Are both layouts of the TLS1.3 Certificates record valid?
--
Cheers,
Jeremy
On 10/10/2019 22:53, Jeremy Harris wrote:
> On 01/10/2019 12:21, Jeremy Harris wrote:
>> I'm using the indexfile variant. It seems that the -CA argument
>> needs to be the signer of the cert, not the CA for the chain; and
>> you cannot give -CA multiple times. So you don't get good OCSP status
On 01/10/2019 12:21, Jeremy Harris wrote:
> I'm using the indexfile variant. It seems that the -CA argument
> needs to be the signer of the cert, not the CA for the chain; and
> you cannot give -CA multiple times. So you don't get good OCSP status
> for all elements in the chain:
> $ openssl ocs
On 01/10/2019 12:21, Jeremy Harris wrote:
> On 30/09/2019 17:02, Matt Caswell wrote:
>>> Alternatively^2, is there some way to get such a blob from a tool
>>> (openssl ocsp, or similar) ready built? For this purpose, I am
>>> the CA.
>>>
>>
>> Yes, you can do this. For example see the "respout"
On 30/09/2019 17:02, Matt Caswell wrote:
>> Alternatively^2, is there some way to get such a blob from a tool
>> (openssl ocsp, or similar) ready built? For this purpose, I am
>> the CA.
>>
>
> Yes, you can do this. For example see the "respout" option in the
> ocsp command.
>
> From the ex
On 30/09/2019 17:02, Matt Caswell wrote:
> openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \
> -url http://ocsp.myhost.com/ -resp_text -respout resp.der
Ah, I hadn't realised that -cert could be given multiple times.
--
Thanks,
Jeremy
On 30/09/2019 14:49, Jeremy Harris wrote:
> Looking at implementing the above, under TLSv1.3 and (at least
> initially) server-side. I'm currently using
>
> SSL_CTX_set_tlsext_status_cb()
> SSL_set_tlsext_status_ocsp_resp( a DER blob )
>
> and the problem is: will this accept a
> (D
