Skip to content

Add support for OCSP Stapling to OpenSSL I/O Handler #19

New issue
New issue
Open
Open
Add support for OCSP Stapling to OpenSSL I/O Handler#19
Labels
Element: SSL/TLSIssues related to SSL/TLS handling, TIdSSLIOHandlerSocketBase and descendantsStatus: DeferredIssue to be re-reviewed in a future releaseType: EnhancementIssue is proposing a new feature/enhancement
@rlebeau

Description

@rlebeau
rlebeau
opened on Aug 2, 2018

See https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_tlsext_status_cb.html

In a nutshell:

  • On the client side, prior to starting a SSL/TLS handshake, call SSL_CTX_set_tlsext_status_cb() to enable a status callback function, and SSL_set_tlsext_status_type(TLSEXT_STATUSTYPE_ocsp) to request OCSP from the server. The callback function can then use SSL_get_tlsext_status_ocsp_resp() and d2i_OCSP_RESPONSE() to access the server's OCSP response data.

  • On the server side, call SSL_CTX_set_tlsext_status_cb() to enable a status callback function. The callback function can then use SSL_get_certificate() to access the certificate that is being sent to the client, obtain the desired OCSP response to be sent back as needed, and finally use SSL_set_tlsext_status_ocsp_resp() to include that response data with the certificate.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Element: SSL/TLSIssues related to SSL/TLS handling, TIdSSLIOHandlerSocketBase and descendantsStatus: DeferredIssue to be re-reviewed in a future releaseType: EnhancementIssue is proposing a new feature/enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions