Walter H. wrote: > On 28.10.2015 16:44, Jakob Bohm wrote: >> On 27/10/2015 21:21, Walter H. wrote: >>> On 26.10.2015 21:42, rosect190 at yahoo.com wrote: >>>> Hi, I need some help on this call. >>>> >>>> I am building an OCSP client following guide in openssl and compile the >>>> code in Cygwin environment. My openssl version is 1.0.1h. >>>> >>>> With HTTP based OCSP, the code works fine. But, with HTTPs, the code gets >>>> stuck at the call to OCSP_sendreq_bio(). Further debugging shows that >>>> OCSP_sendreq_nbio() does not return. >>>> >>>> Did I need to something extra to deal with HTTPs based connection? >>>> >>> OCSP must not be https ... >>> the same with CRL download ... >> Really, I thought that was only a recent cop out rule to >> cater to clients with inferior SSL libraries that can't >> handle the recursion. > both OCSP and CRLs are signed, and this is enough for validation, > there is no need of SSL; There are some privacy concerns with OCSP usage. So using TLS to protect the traffic against sniffing would be good. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4245 bytes Desc: S/MIME Cryptographic Signature URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151030/633f7934/attachment-0001.bin>
