Next: SRTP, Previous: Safe renegotiation, Up: TLS Extensions [Contents][Index]
The Online Certificate Status Protocol (OCSP) is a protocol that allows the
client to verify the server certificate for revocation without messing with
certificate revocation lists. Its drawback is that it requires the client
to connect to the server’s CA OCSP server and request the status of the
certificate. This extension however, enables a TLS server to include
its CA OCSP server response in the handshake. That is an HTTPS server
may periodically run ocsptool
(see ocsptool Invocation) to obtain
its certificate revocation status and serve it to the clients. That
way a client avoids an additional connection to the OCSP server.
See OCSP stapling for further information.
Since version 3.1.3 GnuTLS clients transparently support the certificate status request.