On Thu, 2014-05-08 at 14:38 +0100, David Woodhouse wrote: > Should OpenConnect be doing OCSP? There's not a lot of point in people > revoking all their certs after Heartbleed, if clients aren't actually > *checking*, right? > I think we probably should, but.... it's going to make me sad, isn't it? > I'm going to have to write hundreds of lines of code to do stuff that I > might na?vely have hoped would have been happening for me automatically > before I even thought about it? There are two ways to receive the OCSP response. One is through the TLS handshake (ocserv for example can be setup to send a fresh OCSP server response to openconnect). In that case openconnect (with gnutls - no idea about openssl - although I'd expect the same) will automatically check this OCSP response. The other is during the handshake to connect to the OCSP server that you get reading an X.509 extension in the certificate, issue a request and verify the reply. You can see an example that uses libcurl to issue a POST request and retrieve the answer at: http://www.gnutls.org/manual/gnutls.html#OCSP-example I do think however that key pinning (i.e., avoiding all PKI altogether, similar to my previous patch), is quite better than any of that. regards, Nikos
