Cryptography and SSL/TLS Toolkit



OCSP_sendreq_new, OCSP_sendreq_nbio, OCSP_REQ_CTX_free, OCSP_set_max_response_length, OCSP_REQ_CTX_add1_header, OCSP_REQ_CTX_set1_req, OCSP_sendreq_bio, OCSP_REQ_CTX_i2d - OCSP responder query functions


 #include <openssl/ocsp.h>

 OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, OCSP_REQUEST *req,
                                int maxline);

 int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx);

 void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx);

 void OCSP_set_max_response_length(OCSP_REQ_CTX *rctx, unsigned long len);

 int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx,
                              const char *name, const char *value);

 int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req);

 OCSP_RESPONSE *OCSP_sendreq_bio(BIO *io, const char *path, OCSP_REQUEST *req);

 int OCSP_REQ_CTX_i2d(OCSP_REQ_CTX *rctx, const char *content_type,
                      const ASN1_ITEM *it, ASN1_VALUE *req);


The function OCSP_sendreq_new() returns an OCSP_CTX structure using the responder io, the URL path path, the OCSP request req and with a response header maximum line length of maxline. If maxline is zero a default value of 4k is used. The OCSP request req may be set to NULL and provided later if required.

OCSP_sendreq_nbio() performs nonblocking I/O on the OCSP request context rctx. When the operation is complete it returns the response in *presp.

OCSP_REQ_CTX_free() frees up the OCSP context rctx.

OCSP_set_max_response_length() sets the maximum response length for rctx to len. If the response exceeds this length an error occurs. If not set a default value of 100k is used.

OCSP_REQ_CTX_add1_header() adds header name with value value to the context rctx. It can be called more than once to add multiple headers. It MUST be called before any calls to OCSP_sendreq_nbio(). The req parameter in the initial to OCSP_sendreq_new() call MUST be set to NULL if additional headers are set.

OCSP_REQ_CTX_set1_req() sets the OCSP request in rctx to req. This function should be called after any calls to OCSP_REQ_CTX_add1_header(). OCSP_REQ_CTX_set1_req(rctx, req) is equivalent to the following:

 OCSP_REQ_CTX_i2d(rctx, "application/ocsp-request",
                        ASN1_ITEM_rptr(OCSP_REQUEST), (ASN1_VALUE *)req)

OCSP_REQ_CTX_i2d() sets the request context rctx to have the request req, which has the ASN.1 type it. The content_type, if not NULL, will be included in the HTTP request. The function should be called after all other headers have already been added.

OCSP_sendreq_bio() performs an OCSP request using the responder io, the URL path path, and the OCSP request req with a response header maximum line length 4k. It waits indefinitely on a response.


OCSP_sendreq_new() returns a valid OCSP_REQ_CTX structure or NULL if an error occurred.

OCSP_sendreq_nbio() returns 1 if the operation was completed successfully, -1 if the operation should be retried and 0 if an error occurred.

OCSP_REQ_CTX_add1_header(), OCSP_REQ_CTX_set1_req(), and OCSP_REQ_CTX_i2d() return 1 for success and 0 for failure.

OCSP_sendreq_bio() returns the OCSP_RESPONSE structure sent by the responder or NULL if an error occurred.

OCSP_REQ_CTX_free() and OCSP_set_max_response_length() do not return values.


These functions only perform a minimal HTTP query to a responder. If an application wishes to support more advanced features it should use an alternative more complete HTTP library.

Currently only HTTP POST queries to responders are supported.

The arguments to OCSP_sendreq_new() correspond to the components of the URL. For example if the responder URL is the BIO io should be connected to host on port 80 and path should be set to "/ocspreq"

The headers added with OCSP_REQ_CTX_add1_header() are of the form "name: value" or just "name" if value is NULL. So to add a Host header for you would call:

 OCSP_REQ_CTX_add1_header(ctx, "Host", "");

If OCSP_sendreq_nbio() indicates an operation should be retried the corresponding BIO can be examined to determine which operation (read or write) should be retried and appropriate action taken (for example a select() call on the underlying socket).

OCSP_sendreq_bio() does not support retries and so cannot handle nonblocking I/O efficiently. It is retained for compatibility and its use in new applications is not recommended.


crypto(7), OCSP_cert_to_id(3), OCSP_request_add1_nonce(3), OCSP_REQUEST_new(3), OCSP_resp_find_status(3), OCSP_response_status(3)

Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at