Online Certificate Status Protocol or OCSP is an Internet protocol that is used to obtain the revocation status of an X.509 digital certificate. An OCSP client will send a status request to an OCSP responder and receive information if the certificate is valid or revoked. A good response shows that the certificate is valid and not revoked. Messages communicated via OCSP are encoded in ASN.1, a set of notations that describe rules and structures in telecommunications and networking, and are usually communicated over HTTP. The OCSP servers are called OCSP responders because of the request/response nature of the transmission between them and the client.
It was created as an alternative to Certificate Revocation Lists (CLR) for maintaining the security of servers and other network resources. It hoped to address certain problems regarding the use of CRLs in public key infrastructure (PKI). OCSP has many advantages over CRL. It overcomes CRL’s prime limitation: the fact that frequent downloads are required to keep things current at the client’s side. OCSP also can provide more timely information regarding the revocation status of a certificate. It also removes the need for clients to retrieve the CRL themselves (better bandwidth management), as well as the fact that OCSP allows users with an expired certificate a grace period (decreasing any downtime with expired certificates).
For this exact reason we added OCSP as a wolfSSL feature back in 2011. In our new release wolfSSL 4.3.0 we have added additional sanity check on OCSP response decoders.
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
We love you,
wolfSSL Team