On 30/09/2019 14:49, Jeremy Harris wrote: > Looking at implementing the above, under TLSv1.3 and (at least > initially) server-side. I'm currently using > > SSL_CTX_set_tlsext_status_cb() > SSL_set_tlsext_status_ocsp_resp( a DER blob ) > > and the problem is: will this accept a > (DER-wrapped, basicresp-wrapped) stack of singleresp > where the stack has >1 element? It's an OCSPResponse object (see RFC2560) - represented by the OCSP_RESPONSE type in OpenSSL. That can itself wrap a BasicOCSPResponse which can contain multiple SingleResponses. > > If so, and that is the preferred way to load such > a stapling, how can such a blob be constructed? If you want to construct it from scratch you might want to take a look at how the ocsp app does it: https://github.com/openssl/openssl/blob/84f471ecab76a16281a16c53d259bbcae358816f/apps/ocsp.c#L1146-L1287 > > I have separate PEM files for each ocsp resp for > the certificate chain, currently. Converting > to DER and pulling out the singleresp is feasible; > it's building a multi-resp blob that looks hard. > > Alternatively, can SSL_set_tlsext_status_ocsp_resp() > be called repeatedly, with distinct blobs for the > stapling chain elements? The manpage does not suggest it > so it seems unlikely. No, this isn't possible. > > Alternatively^2, is there some way to get such a blob from > a tool (openssl ocsp, or similar) ready built? For this > purpose, I am the CA. > Yes, you can do this. For example see the "respout" option in the ocsp command. >From the examples in the ocsp man page: Send a query to an OCSP responder with URL http://ocsp.myhost.com/ save the response to a file, print it out in text form, and verify the response: openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \ -url http://ocsp.myhost.com/ -resp_text -respout resp.der Read in an OCSP response and print out text form: openssl ocsp -respin resp.der -text -noverify https://www.openssl.org/docs/man1.1.1/man1/openssl-ocsp.html Matt
