1 Topic by nicolas.ane

(1 replies, posted in wolfSSL)

Hello,
I am trying to setup a POC using OCSP stapling feature implemented in WolfSSL lib
The client has to check the validity of server certificate, then the server has to attach with its certificate the OCSP response.
I don’t want specify an URL for OCSP responder because I want to simulate the OCSP answer and so manage that directly into the server’s code.
To do that I am looking the APIs to use on server side to upload the simulated OCSP answer into the SSL session.
I didn’t find any APIs in API index neither in “OCSP Support web page”
Do you have any idea/recommendation to implement that …
By advance thanks

Go to forum: wolfSSL

2 Topic by nicolas.ane

(2 replies, posted in wolfSSL)

Hello,
   
I try to implement a POC to use OSCP stapling
I coded a client that requires OCSP stapling and wants to provide the URL of OCSP responder to the server.
I used the API "wolfSSL_CTX_SetOCSP_OverrideURL" to do that.
By examining the client hello with wireshark, I can see the status_request (OCSP type) that's fine but the field
"Responder Id list length" is null.

Bellow is there an extract of code, is there something missing

By advance
Thanks

*********************************************************************

ret = wolfSSL_CTX_EnableOCSPStapling(ctx);
    if (ret != SSL_SUCCESS) {
        fprintf(stderr, "Error set OCSP override URL.\n");
        wolfSSL_CTX_free(ctx);
        goto cleanup;
    }
   

    ret = wolfSSL_CTX_EnableOCSPMustStaple(ctx);
    if (ret != SSL_SUCCESS) {
        fprintf(stderr, "Error set OCSP override URL.\n");
        wolfSSL_CTX_free(ctx);
        goto cleanup;
    }
   

    const char * ocsp_responder_url = "www.my-ocsp-responder.test";
    ret = wolfSSL_CTX_SetOCSP_OverrideURL(ctx, ocsp_responder_url);
    if (ret != SSL_SUCCESS) {
        fprintf(stderr, "Error set OCSP override URL.\n");
        wolfSSL_CTX_free(ctx);
        goto cleanup;
    }

    /* Créer un objet SSL */
    ssl = wolfSSL_new(ctx);
    if (ssl == NULL) {
        fprintf(stderr, "wolfSSL_new error.\n");
        wolfSSL_CTX_free(ctx);
        return -1;
    }
   
    ret = wolfSSL_UseOCSPStapling(ssl, WOLFSSL_CSR_OCSP,
                               WOLFSSL_CSR_OCSP_USE_NONCE);
    if (ret != SSL_SUCCESS) {
        fprintf(stderr, "Error set OCSP override URL.\n");
        wolfSSL_CTX_free(ctx);
        goto cleanup;
    }

Go to forum: wolfSSL