diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-10-04 19:10:26 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-10-04 19:19:21 +0200 |
| commit | 3b70b9f0a38d3708aa9fdc7ea9d8998387fb07cf (patch) | |
| tree | 2c011e1702eebf3fac2a6aeeb6bd0c983b426ea2 /doc/cha-intro-tls.texi | |
| parent | 0101efc0e26dc74ea79b39584df82da53a6e2032 (diff) | |
| download | gnutls-3b70b9f0a38d3708aa9fdc7ea9d8998387fb07cf.tar.gz | |
gnutls_certificate_verify_peers2() checks ocsp status response if available.
Diffstat (limited to 'doc/cha-intro-tls.texi')
| -rw-r--r-- | doc/cha-intro-tls.texi | 25 |
1 files changed, 23 insertions, 2 deletions
diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi index ee58f0cfcc..aa5eaa2dd1 100644 --- a/doc/cha-intro-tls.texi +++ b/doc/cha-intro-tls.texi @@ -398,6 +398,7 @@ and they will be discussed in the subsections that follow. * Session tickets:: * HeartBeat:: * Safe renegotiation:: +* OCSP status request:: @end menu @node Maximum fragment length negotiation @@ -459,10 +460,8 @@ The requests coming from the peer result to @code{GNUTLS_@-E_@-HERTBEAT_@-PING_@ being returned from the receive function. Ping requests to peer can be send via @funcref{gnutls_heartbeat_ping}. -Policy-related functions: @showfuncB{gnutls_heartbeat_allowed,gnutls_heartbeat_enable} -Operational functions: @showfuncD{gnutls_heartbeat_ping,gnutls_heartbeat_pong,gnutls_heartbeat_set_timeouts,gnutls_heartbeat_get_timeout} @node Safe renegotiation @@ -564,6 +563,28 @@ renegotiation. The @funcref{gnutls_safe_renegotiation_status} function is used to check if the extension has been negotiated on a session, and can be used both by clients and servers. +@node OCSP status request +@subsection OCSP status request +@cindex OCSP status request +@cindex Certificate status request + +The Online Certificate Status Protocol (OCSP) is a protocol that allows the +client to verify the server certificate for revocation without messing with +certificate revocation lists. Its drawback is that it requires the client +to connect to the server's CA OCSP server and ask for the status of the +certificate. This extension however, enables a TLS server to include +its CA OCSP server response in the handshake. That is an HTTPS server +may periodically run @code{ocsptool} (see @ref{ocsptool Invocation}) to obtain +its certificate revocation status and serve it to the clients. This +reduces the number of connections a client needs to perform to access a +secure server. + +Server functions: +@showfuncB{gnutls_certificate_set_ocsp_status_request_function,gnutls_certificate_set_ocsp_status_request_file} + +Client functions: +@showfuncA{gnutls_ocsp_status_request_enable_client} + @include sec-tls-app.texi @node On SSL 2 and older protocols |