➢ I used libcrypto to parse out the OCSP URL from the certificate validate
it against a whitelist of valid OCSP URLs, send an OCSP request and
validate the response and its signature against a custom certificate
store, and then parse out the result.
Two points on that:
➢ - This seems like something that should be in libcrypto rather than in
my own code. Did I miss something obvious?
We generally don’t do any kind of network traffic (except SSL) and would rather
leave that up to the application. Especially because there are all sorts of
other frameworks, blocking issues, DNS, etc., that make things a non-simple
matter.
➢ - Currently I don't fall back to CRLs when the OCSP server is
unavailable. I would like to do so; however, I can't figure out how to
validate the signature on a CRL (which would be a pretty obvious
failure). Alternatively, is there an obvious alternative thing that I
should be doing, rather than manually parsing the CRL?
X509_CRL_verify. And yes, looking through to find the serial# is what you have
to do.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
