On Sun, 16 May 2021, igorr+curl--- via curl-library wrote:
Am I missing something here?
If not, imvho, the "fix" in this particular case is somewhat involved -- for
every OCSP_CERTID (#1) available in the stapled response, curl should
construct its own OCSP_CERTID (#2) corresponding to the peer certificate
based on the hash of #1 and use OCSP_resp_find_status() to locate the
OCSP_CERTID in the response. And only after trying all of OCSP_CERTIDs in
this fashion unsuccessfully should one reply with:
I'm not really updated with how OCSP stapling should be implemented so I'll
just take your word for that this is a sound way to do it.
--
/ daniel.haxx.se
| Commercial curl support up to 24x7 is available!
| Private help, bug fixes, support, ports, new features
| https://www.wolfssl.com/contact/
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
