On 11.12.2016 15:57, Branko Čibej wrote: > The caller would send the nonce into serf_ssl_ocsp_request_verify() to > check that the response contains the same nonce. The nonce is optional > in the OCSP request, but can be used for avoiding replay attacks. > Apparently some OCSP responders do not handle requests with nonces, so > we can't just implicitly include one. Other than that, OpenSSL can
... generate a random nonce using its internal random generator, which I tend to presume is, all things being equal, appropriate for use in crypto applications. -- Brane
