Hi,
I had some questions about using OCSP for revocation.
I have a client that connects to apache http server 2.4.37 (RHEL). I have enabled SSL and OCSP stapling on the server with this configuration ->
Root
-> Intermediate
-> Server Certificate
-> OCSP signer certificate
Both the intermediate and Server certificate contain the OCSP responder URL in AIA extension. And there is a OCSP responder running on the same.
The client will send the "status_request" extension during handshake. I see the server is querying the responder for the revocation status of the end entity certificate and returning that back to client. But the revocation status for intermediate cert doesn't seem to be queried or put back in response.
Note: The version negotiated is TLS 1.3
From the documentation about OCSP stapling it seemed RFC 6961 is not implemented(relevant for TLS 1.2). Please let me know if this understanding is correct. But in case of TLS 1.3, the response can be added as a certificate specific extension of TLS Certificate message. It wasn't clear if I should be expecting the OCSP response even for the intermediate cert in this situation.
To summarize
Is OCSP multi stapling supported by apache 2.4.37 ?
Any pointers would be helpful. Thanks in advance
Regards
Akshath
