On Fri, May 20, 2022 at 01:23:31PM -0400, David Benjamin wrote: > On Fri, May 20, 2022 at 1:07 PM Salz, Rich <rs...@akamai.com> wrote: > > > Do client programs staple a status when sending a cert to the server? It > > seems possible, someone just asked me if anyone does it. > > > Prior to TLS 1.3, it wasn't possible because the Certificate message > didn't have extensions. Starting TLS 1.3, it looks like we did define > status_request to be allowed in either direction. We (BoringSSL) > never implemented the client certificate direction, since we haven't > needed it yet. We just ignore the extension if we see it in > CertificateRequest. At a glance, it looks like OpenSSL does the same. > Dunno about other implementations.
Looking at what my implementation does, if an application gives the library an OCSP staple to send, it will be sent if server requests one. However, I do not think any application using the library does that, so in practice OCSP never gets stapled into client certificate. (Similar thing appliles to Signed Certificate Timestamp (Certificate Transparency) stapling, and in some very recent versions, Transparency Item (Certificate Transparency 2.0) stapling.) -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
