OpenSSL certificate revocation check in client program using OCSP brackets

I have a built-in C client program that reliably connects to the server using OpenSSL. The server provides its certificate during the handshake and the client has to check the revocation status of that certificate. I am currently doing this with OCSP.

It all works, but now I need to re-run the client revocation check with the OCSP bracket (assuming the server will start providing this).

I am currently getting the server certificate using X509 *cert = SSL_get_peer_certificate(ssl)

to check subjectAltName

on my server domain and get authorityInfoAccess

(for OCSP URI).

Assuming I have SSL * ssl;

it and I have successfully installed everything and connected through SSL_connect(ssl);

, what should I do at this point to get OCSP stitching information and verify the certificate I just received? I cannot find any sample code for how to implement it using the OpenSSL library.


source to share

1 answer

There are several steps:

  • Ask the customer to submit the extension status_request

    using SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp)


  • Register a callback (and argument) to validate the OCSP response via SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb)

    andSSL_CTX_set_tlsext_status_arg(ctx, arg)

  • Write a callback function. The one used s_client

    demonstrates how to get response information:

    static int ocsp_resp_cb(SSL *s, void *arg)
    const unsigned char *p;
    int len;
    len = SSL_get_tlsext_status_ocsp_resp(s, &p);
    BIO_puts(arg, "OCSP response: ");
    if (!p)
        BIO_puts(arg, "no response sent\n");
        return 1;
    rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
    if (!rsp)
        BIO_puts(arg, "response parse error\n");
        BIO_dump_indent(arg, (char *)p, len, 4);
    return 0;
    BIO_puts(arg, "\n======================================\n");
    OCSP_RESPONSE_print(arg, rsp, 0);
    BIO_puts(arg, "======================================\n");
    return 1;



All Articles