Cryptography and SSL/TLS Toolkit



OCSP_REQ_CTX, OCSP_sendreq_new, OCSP_sendreq_nbio, OCSP_sendreq_bio, OCSP_REQ_CTX_i2d, OCSP_REQ_CTX_add1_header, OCSP_REQ_CTX_free, OCSP_set_max_response_length, OCSP_REQ_CTX_set1_req - OCSP responder query functions


 #include <openssl/ocsp.h>

 OSSL_HTTP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path,
                                     const OCSP_REQUEST *req, int buf_size);
 OCSP_RESPONSE *OCSP_sendreq_bio(BIO *io, const char *path, OCSP_REQUEST *req);

Deprecated since OpenSSL 3.0, can be hidden entirely by defining OPENSSL_API_COMPAT with a suitable version value, see openssl_user_macros(7):

 int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OSSL_HTTP_REQ_CTX *rctx);
 int OCSP_REQ_CTX_i2d(OCSP_REQ_CT *rctx, const ASN1_ITEM *it, ASN1_VALUE *req);
 int OCSP_REQ_CTX_add1_header(OCSP_REQ_CT *rctx,
                              const char *name, const char *value);
 void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx);
 void OCSP_set_max_response_length(OCSP_REQ_CT *rctx, unsigned long len);
 int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, const OCSP_REQUEST *req);


These functions perform an OCSP POST request / response transfer over HTTP, using the HTTP request functions described in OSSL_HTTP_REQ_CTX(3).

The function OCSP_sendreq_new() builds a complete OSSL_HTTP_REQ_CTX structure with the BIO io to be used for requests and reponse, the URL path path, optionally the OCSP request req, and a response header maximum line length of buf_size. If buf_size is zero a default value of 4KiB is used. The req may be set to NULL and provided later using OCSP_REQ_CTX_set1_req() or OSSL_HTTP_REQ_CTX_set1_req(3). The io and path arguments to OCSP_sendreq_new() correspond to the components of the URL. For example if the responder URL is the BIO io should haven been connected to host on port 80 and path should be set to /ocspreq.

OCSP_sendreq_nbio() attempts to send the request prepared in rctx and to gather the response via HTTP, using the BIO io and path that were given when calling OCSP_sendreq_new(). If the operation gets completed it assigns the response, a pointer to a OCSP_RESPONSE structure, in *presp. The function may need to be called again if its result is -1, which indicates BIO_should_retry(3). In such a case it is advisable to sleep a little in between, using BIO_wait(3) on the read BIO to prevent a busy loop.

OCSP_sendreq_bio() combines OCSP_sendreq_new() with as many calls of OCSP_sendreq_nbio() as needed and then OCSP_REQ_CTX_free(), with a response header maximum line length 4k. It waits indefinitely on a response. It does not support setting a timeout or adding headers and is retained for compatibility; use OSSL_HTTP_transfer(3) instead.

OCSP_REQ_CTX_i2d(rctx, it, req) is equivalent to the following:

  OSSL_HTTP_REQ_CTX_set1_req(rctx, "application/ocsp-request", it, req)

OCSP_REQ_CTX_set1_req(rctx, req) is equivalent to the following:

 OSSL_HTTP_REQ_CTX_set1_req(rctx, "application/ocsp-request",
                            (const ASN1_VALUE *)req)

The deprecated type and the remaining deprecated functions have been superseded by the following equivalents: OCSP_REQ_CTX by OSSL_HTTP_REQ_CTX(3), OCSP_REQ_CTX_add1_header() by OSSL_HTTP_REQ_CTX_add1_header(3), OCSP_REQ_CTX_free() by OSSL_HTTP_REQ_CTX_free(3), and OCSP_set_max_response_length() by OSSL_HTTP_REQ_CTX_set_max_response_length(3).


OCSP_sendreq_new() returns a valid OSSL_HTTP_REQ_CTX structure or NULL if an error occurred.

OCSP_sendreq_nbio() returns 1 for success, 0 on error, -1 if retry is needed.

OCSP_sendreq_bio() returns the OCSP_RESPONSE structure sent by the responder or NULL if an error occurred.


OSSL_HTTP_REQ_CTX(3), OSSL_HTTP_transfer(3), OCSP_cert_to_id(3), OCSP_request_add1_nonce(3), OCSP_REQUEST_new(3), OCSP_resp_find_status(3), OCSP_response_status(3)


OCSP_REQ_CTX, OCSP_REQ_CTX_i2d(), OCSP_REQ_CTX_add1_header(), OCSP_REQ_CTX_free(), OCSP_set_max_response_length(), and OCSP_REQ_CTX_set1_req() were deprecated in OpenSSL 3.0.

Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at