ocsp

public class CustomTrustManager implements X509TrustManager { private X509TrustManager trustManager; // If a connection was previously attempted and failed the certificate check, that certificate chain will be saved here. private Certificate[] rejectedCertificates = null; private Certificate[] encounteredCertificates = null; private KeyStore keyStore = null; private Logger logger; /** * Constructor * * @param loggerFactory * see {@link InstanceLoggerFactory} */ public CustomTrustManager(InstanceLoggerFactory loggerFactory) { try { this.logger = loggerFactory.getLogger(CustomTrustManager.class)

If I set Security.setProperty("ocsp.enable", "true") , will an SSLSocket or SSLServerSocket connection automatically check for certificate revocation using OCSP? Do I have to do the OCSP check manually when creating the socket? (I'm not using CRLs.) You can use this TrustManager implementation I whipped up for some testing which is based on the OCSP checking code on XueLei.Fan's blog . I have used this with Netty based on the their HttpSnoopClient hitting https://www.mozilla.org/en-US/ and it works. import io.netty.handler.ssl.util.SimpleTrustManagerFactory; import io.netty.util.internal

I have an embedded C client program that securely connects to a server using OpenSSL. The server provides its certificate during the handshake and the client has to check the revocation status of this certificate. Currently I do this by using OCSP. All of this works, but now I need to re-implement the client's revocation check using OCSP stapling (assuming the server will start providing this). Currently I get the server certificate using X509 *cert = SSL_get_peer_certificate(ssl) to check the subjectAltName against my server's domain and get the authorityInfoAccess (for OCSP URI). Assuming I