Next: SRTP, Previous: Safe renegotiation, Up: TLS Extensions [Contents][Index]
The Online Certificate Status Protocol (OCSP) is a protocol that allows the
client to verify the server certificate for revocation without messing with
certificate revocation lists. Its drawback is that it requires the client
to connect to the server’s CA OCSP server and request the status of the
certificate. This extension however, enables a TLS server to include
its CA OCSP server response in the handshake. That is an HTTPS server
may periodically run ocsptool (see ocsptool Invocation) to obtain
its certificate revocation status and serve it to the clients. That
way a client avoids an additional connection to the OCSP server.
void gnutls_certificate_set_ocsp_status_request_function (gnutls_certificate_credentials_t sc, gnutls_status_request_ocsp_func ocsp_func, void * ptr)int gnutls_certificate_set_ocsp_status_request_file (gnutls_certificate_credentials_t sc, const char * response_file, unsigned int flags)int gnutls_ocsp_status_request_enable_client (gnutls_session_t session, gnutls_datum_t * responder_id, size_t responder_id_size, gnutls_datum_t * extensions)int gnutls_ocsp_status_request_is_checked (gnutls_session_t session, unsigned int flags)A server is required to provide the OCSP server’s response using the gnutls_certificate_set_ocsp_status_request_file. The response may be obtained periodically using the following command.
ocsptool --ask --load-cert server_cert.pem --load-issuer the_issuer.pem
--load-signer the_issuer.pem --outfile ocsp.response
Since version 3.1.3 GnuTLS clients transparently support the certificate status request.