It looks like there are some upcoming use cases that would need to be able to use OCSP stapling to verify both the server certificate and the intermediate CA certificate that issued that server certificate. This would require support for RFC 6961 extensions to OCSP stapling. Since the actual OCSP stapling processing is currently done outside the OpenSSL library, the changes to allow this to be used on the TLS client side would be pretty minimal for the library.
The current API does not allow this to be done since the SSL_set_tlsext_status_type() function allows only one value (TLSEXT_STATUSTYPE_ocsp = 1) to be used. It would be nice if OpenSSL 1.1.0 would make it possible to use the ocsp_multi(2) value in status_request_v2(17) ClientHello extension. Other than the different extension type and status type values (and listing both ocsp and ocsp_multi types), the contents on that extension is identical to the existing status_request case. Since the OCSP stapling response is processed outside the library handshake processing, a minimal support for this within OpenSSL would not need other changes there than just accepting ocsp_multi(2) in addition to the current TLSEXT_STATUSTYPE_ocsp(1). More could obviously be added later to help parsing in applications, but that is not critical for OpenSSL 1.1.0 to enable this functionality. Would there be interest in getting at least the minimal changes in place before the beta release so that OpenSSL 1.1.0 could be used to implement ocsp_multi support for TLS client? As far as the TLS messages are concerned, these are the changes needed for the use cases I'm thinking of: Building ClientHello: Add status_request_v2 extension with minimal contents: 00 11 00 07 00 05 02 00 00 00 00 This is very similar to status_request extension that can currently be added: 00 05 00 05 01 00 00 00 00 Parsing ServerHello: Accept status_request_v2 extension Parsing CertificateStatus: Accept certificate status type ocsp_multi(2) -- Jouni Malinen PGP id EFC895FA -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
