On 28.10.2015 16:44, Jakob Bohm wrote: > On 27/10/2015 21:21, Walter H. wrote: >> On 26.10.2015 21:42, rosect190 at yahoo.com wrote: >>> Hi, I need some help on this call. >>> >>> I am building an OCSP client following guide in openssl and compile >>> the code in Cygwin environment. My openssl version is 1.0.1h. >>> >>> With HTTP based OCSP, the code works fine. But, with HTTPs, the code >>> gets stuck at the call to OCSP_sendreq_bio(). Further debugging >>> shows that OCSP_sendreq_nbio() does not return. >>> >>> Did I need to something extra to deal with HTTPs based connection? >>> >> OCSP must not be https ... >> the same with CRL download ... > Really, I thought that was only a recent cop out rule to > cater to clients with inferior SSL libraries that can't > handle the recursion. both OCSP and CRLs are signed, and this is enough for validation, there is no need of SSL; and an infinite recursion would be implied because of the need of validating these SSL-certificates the same way as the origin SSL-certificate ... but be aware the CRLs can be in an LDAP - done by bad CAs; OCSP must be HTTP Walter -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4312 bytes Desc: S/MIME Cryptographic Signature URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151028/fb66f23c/attachment.bin>
