Windows UWP SDK support OCSP?
Now using Http namespace in my Windows UWP app to connect to server and wonder whether it supports OCSP verification?
I use wireshark to capture traffic between my client and OCSP server, didn't get get anything, seems it even didn't give a try, and revoked cert still works...
See also questions close to this topic
Configure tomcat to use Java 9 native OCSP stapling and OCSP check
How can I configure Apache Tomcat to use OCSP stapling and certificate revocation check using OCSP implementation available in Java 9?
Is running tomcat 9 on Java 9 with following property is enough?
// Enable OCSP Stapling (off by default) System.setProperty(“jdk.tls.server.enableStatusRequestExtension”, “true”);
I have tried above but doesn't seem to be working
Does X590Certificate.Build use OCSP if ChainPolicy RevocationMode Online is used?
If you have code like the following: is OCSP used for the 'online' revocation check?
X509Chain ch = new X509Chain(); ch.ChainPolicy.RevocationMode = X509RevocationMode.Online; ch.Build (certificate);
The API documentation is not explicit about this, saying:
"A revocation check is made using an online certificate revocation list (CRL)."
but not giving any details of how the check is made
X509Chain.Buldmethods checks if the property
szOID_AUTHORITY_INFO_ACCESShas a value - I know this is where OCSP URLs are stored so again this would suggest that OCSP is being used
Build then calls BuildChain and there is a call is made to CertGeCertificateChain, passing a revocation flags unsigned int.
The documentation for GetCertificateChain gives the possible flags that can be passed in, including CERT_CHAIN_REVOCATION_CHECK_OCSP_CERT:
"This flag is used internally during chain building for an online certificate status protocol (OCSP) signer certificate to prevent cyclic revocation checks. During chain building, if the OCSP response is signed by an independent OCSP signer, then, in addition to the original chain build, there is a second chain built for the OCSP signer certificate itself. This flag is used during this second chain build to inhibit a recursive independent OCSP signer certificate. If the signer certificate contains the szOID_PKIX_OCSP_NOCHECK extension, revocation checking is skipped for the leaf signer certificate. Both OCSP and CRL checking are allowed."
Since a flag exists to 'inhibit' OCSP checking, I am thinking that it does happen - but again it would be nice to get an explicit confirmation of this
How to create ocsp request using openssl in c++?
I am trying to send a
ocsprequest to an
C++, but I can't find anything to prepare the request. In the documentation I found the following functions
long SSL_get_tlsext_status_ocsp_resp(ssl, unsigned char **resp); long SSL_set_tlsext_status_ocsp_resp(ssl, unsigned char *resp, int len);
How can I add the certificate and set the nonce for the request?