OpenSSL certificate revocation check in client program using OCSP stapling

后端未结

关注

 1  524

滥情空心 2021-01-06 07:25

I have an embedded C client program that securely connects to a server using OpenSSL. The server provides its certificate during the handshake and the client has to check th

1条回答

走了就别回头了 (楼主)

2021-01-06 08:11

There are a couple steps:

Have the client send the status_request extension via SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp).
Register a callback (and argument) to examine the OCSP response via SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb) and SSL_CTX_set_tlsext_status_arg(ctx, arg)

Write the callback function. The one used by s_client demonstrates how to get at the response information:

static int ocsp_resp_cb(SSL *s, void *arg)
{
const unsigned char *p;
int len;
OCSP_RESPONSE *rsp;
len = SSL_get_tlsext_status_ocsp_resp(s, &p);
BIO_puts(arg, "OCSP response: ");
if (!p)
    {
    BIO_puts(arg, "no response sent\n");
    return 1;
    }
rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
if (!rsp)
    {
    BIO_puts(arg, "response parse error\n");
    BIO_dump_indent(arg, (char *)p, len, 4);
return 0;
}
BIO_puts(arg, "\n======================================\n");
OCSP_RESPONSE_print(arg, rsp, 0);
BIO_puts(arg, "======================================\n");
OCSP_RESPONSE_free(rsp);
return 1;
}

0 讨论(0)