OpenSSL certificate revocation check in client program using OCSP stapling

不羁岁月 提交于 2019-11-30 18:06:25

问题


I have an embedded C client program that securely connects to a server using OpenSSL. The server provides its certificate during the handshake and the client has to check the revocation status of this certificate. Currently I do this by using OCSP.

All of this works, but now I need to re-implement the client's revocation check using OCSP stapling (assuming the server will start providing this).

Currently I get the server certificate using X509 *cert = SSL_get_peer_certificate(ssl) to check the subjectAltName against my server's domain and get the authorityInfoAccess (for OCSP URI).

Assuming I have an SSL * ssl; and I successfully set everything up and connected via SSL_connect(ssl);, what do I do at this point to get at the OCSP stapling information and verify the certificate I just received? I can't find any sample code for how to actually implement this using the OpenSSL library.


回答1:


There are a couple steps:

  1. Have the client send the status_request extension via SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp).

  2. Register a callback (and argument) to examine the OCSP response via SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb) and SSL_CTX_set_tlsext_status_arg(ctx, arg)

  3. Write the callback function. The one used by s_client demonstrates how to get at the response information:

    static int ocsp_resp_cb(SSL *s, void *arg)
    {
    const unsigned char *p;
    int len;
    OCSP_RESPONSE *rsp;
    len = SSL_get_tlsext_status_ocsp_resp(s, &p);
    BIO_puts(arg, "OCSP response: ");
    if (!p)
        {
        BIO_puts(arg, "no response sent\n");
        return 1;
        }
    rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
    if (!rsp)
        {
        BIO_puts(arg, "response parse error\n");
        BIO_dump_indent(arg, (char *)p, len, 4);
    return 0;
    }
    BIO_puts(arg, "\n======================================\n");
    OCSP_RESPONSE_print(arg, rsp, 0);
    BIO_puts(arg, "======================================\n");
    OCSP_RESPONSE_free(rsp);
    return 1;
    }
    


来源:https://stackoverflow.com/questions/9607516/openssl-certificate-revocation-check-in-client-program-using-ocsp-stapling

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!