Vote 0 Votes

瀏覽器(除了Google Chrome,註)會透過 OCSP 協定去檢查憑證是否有效
憑證中有一個欄位是 OCSP URI, 瀏覽器就透過 OCSP URI 去檢查
openssl s_client -showcerts -connect google.com:443 < /dev/null | openssl x509 -text | grep OCSP

其 Request 透過 HTTP POST 方式傳 issuerNameHash, issuerKeyHash, serialNumber 這三個參數給 OCSP Server

Response 回應 CertStatus ::= CHOICE {
revoked [1] IMPLICIT RevokedInfo,
unknown [2] IMPLICIT UnknownInfo }

以下說明截錄 RFC 6960
The "good" state indicates a positive response to the status inquiry.
At a minimum, this positive response indicates that no certificate
with the requested certificate serial number currently within its
validity interval is revoked. This state does not necessarily mean
that the certificate was ever issued or that the time at which the
response was produced is within the certificate's validity interval.
Response extensions may be used to convey additional information on
assertions made by the responder regarding the status of the
certificate, such as a positive statement about issuance, validity,

The "revoked" state indicates that the certificate has been revoked,
either temporarily (the revocation reason is certificateHold) or
permanently. This state MAY also be returned if the associated CA
has no record of ever having issued a certificate with the
certificate serial number in the request, using any current or
previous issuing key (referred to as a "non-issued" certificate in
this document).

The "unknown" state indicates that the responder doesn't know about
the certificate being requested, usually because the request
indicates an unrecognized issuer that is not served by this

註: Google Chrome 因考量到速度, 不使用 OCSP, 而是使用自己的機制, 使用定期更新的 Local List

About this Entry

This page contains a single entry by Pank published on February 22, 2018 10:09 AM.

AlwaysOnSSL was the previous entry in this blog.

Get Skype conversations id for Skype Bot sending message is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives