Topic: Client Hello / OCSP stapling / set responder id list

Hello,
   
I try to implement a POC to use OSCP stapling
I coded a client that requires OCSP stapling and wants to provide the URL of OCSP responder to the server.
I used the API "wolfSSL_CTX_SetOCSP_OverrideURL" to do that.
By examining the client hello with wireshark, I can see the status_request (OCSP type) that's fine but the field
"Responder Id list length" is null.

Bellow is there an extract of code, is there something missing

By advance
Thanks

*********************************************************************

ret = wolfSSL_CTX_EnableOCSPStapling(ctx);
    if (ret != SSL_SUCCESS) {
        fprintf(stderr, "Error set OCSP override URL.\n");
        wolfSSL_CTX_free(ctx);
        goto cleanup;
    }
   

    ret = wolfSSL_CTX_EnableOCSPMustStaple(ctx);
    if (ret != SSL_SUCCESS) {
        fprintf(stderr, "Error set OCSP override URL.\n");
        wolfSSL_CTX_free(ctx);
        goto cleanup;
    }
   

    const char * ocsp_responder_url = "www.my-ocsp-responder.test";
    ret = wolfSSL_CTX_SetOCSP_OverrideURL(ctx, ocsp_responder_url);
    if (ret != SSL_SUCCESS) {
        fprintf(stderr, "Error set OCSP override URL.\n");
        wolfSSL_CTX_free(ctx);
        goto cleanup;
    }

    /* Créer un objet SSL */
    ssl = wolfSSL_new(ctx);
    if (ssl == NULL) {
        fprintf(stderr, "wolfSSL_new error.\n");
        wolfSSL_CTX_free(ctx);
        return -1;
    }
   
    ret = wolfSSL_UseOCSPStapling(ssl, WOLFSSL_CSR_OCSP,
                               WOLFSSL_CSR_OCSP_USE_NONCE);
    if (ret != SSL_SUCCESS) {
        fprintf(stderr, "Error set OCSP override URL.\n");
        wolfSSL_CTX_free(ctx);
        goto cleanup;
    }

Share

Re: Client Hello / OCSP stapling / set responder id list

Hi Nicolas,

Welcome to the forums!

My colleague is going to review and provide a response for you.

Thanks,
Eric - wolfSSL Support

Re: Client Hello / OCSP stapling / set responder id list

Hi Nicolas,

Thanks for posting on the forum.
Unfortunately, currently we don't support specifying the ResponderIDs in the Certificate Status Request extension.

The API wolfSSL_CTX_SetOCSP_OverrideURL is used to override the URL for OCSP requests locally.
So if invoked on the client side, it will only affect normal OCSP requests originating from the client.
If invoked on the server side, it will affect OCSP requests originating from the server (either to verify the client certificate and/or to staple OCSP responses for the clients).

If this feature is important to you, feel free to reach us at support@wolfssl.com.

Thanks,
Marco

Share