使用 OCSP 装订在客户端程序中检查 OpenSSL 证书吊销 [英] OpenSSL certificate revocation check in client program using OCSP stapling
问题描述
I have an embedded C client program that securely connects to a server using OpenSSL. The server provides its certificate during the handshake and the client has to check the revocation status of this certificate. Currently I do this by using OCSP.
All of this works, but now I need to re-implement the client's revocation check using OCSP stapling (assuming the server will start providing this).
Currently I get the server certificate using X509 *cert = SSL_get_peer_certificate(ssl)
to check the subjectAltName
against my server's domain and get the authorityInfoAccess
(for OCSP URI).
Assuming I have an SSL * ssl;
and I successfully set everything up and connected via SSL_connect(ssl);
, what do I do at this point to get at the OCSP stapling information and verify the certificate I just received? I can't find any sample code for how to actually implement this using the OpenSSL library.
There are a couple steps:
Have the client send the
status_request
extension viaSSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp)
.Register a callback (and argument) to examine the OCSP response via
SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb)
andSSL_CTX_set_tlsext_status_arg(ctx, arg)
Write the callback function. The one used by
s_client
demonstrates how to get at the response information:static int ocsp_resp_cb(SSL *s, void *arg) { const unsigned char *p; int len; OCSP_RESPONSE *rsp; len = SSL_get_tlsext_status_ocsp_resp(s, &p); BIO_puts(arg, "OCSP response: "); if (!p) { BIO_puts(arg, "no response sent "); return 1; } rsp = d2i_OCSP_RESPONSE(NULL, &p, len); if (!rsp) { BIO_puts(arg, "response parse error "); BIO_dump_indent(arg, (char *)p, len, 4); return 0; } BIO_puts(arg, " ====================================== "); OCSP_RESPONSE_print(arg, rsp, 0); BIO_puts(arg, "====================================== "); OCSP_RESPONSE_free(rsp); return 1; }
这篇关于使用 OCSP 装订在客户端程序中检查 OpenSSL 证书吊销的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!