Hi,
I had few questions about OCSP stapling for intermediate certificates.
On the client side I'm adding "certificate status request" extension to ClientHello message. For server, Im using an apache httpd server which has OCSP responder details configured in ssl module. THe negotiated TLS version is 1.3
1)The server has a multi tier cert chain. But it seems to be sending the OCSP response for only the end entity certificate. Apache documentation seems to suggest this is expected and multi-stapling is not supported. Is anyone aware of a http server that supports multi-stapling?
2)On the client side, I'm registering for the OCSP response callback with
SSL_CTX_set_tlsext_status_cb.
In case of a multi tiered cert chain and OCSP response for each cert, is this callback called once for each response?, or only one time?
If its called only only one time, how are the responses accessed?
SSL_get_tlsext_status_ocsp_response -> seems to return only one OCSP response.
And I haven't been able to try tis for the lack of multi-stapling support in http server
3)The OCSP response callback seems to be called after the cert chain verification callback has ended. Is there any reason for this?. The authenticity of OCSP response is established by a different chain (OCSP response -> CA that signed cert), and doesn't need to wait for the server end entity verification?. So instead of CRL, OCSP could have been used during cert chain verification
Thanks
Akshath