Tightening OCSP Responder Authorization for RFC 6960 Compliance

wolfSSL has removed CheckOcspResponderChain(), a non-compliant chain walk that authorized any OCSP responder certificate issued by any ancestor of the target certificate’s issuer as of version 5.9.2. RFC 6960 §4.2.2.2 requires that an OCSP response be signed directly by the CA that issued the certificate in question or a delegated responder appointed by that exact CA. The change also drops the now-unused vp parameter and the related WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK macro, and refreshes the OCSP test certs and scripts to exercise both RFC-compliant paths, while adding a negative test that confirms ancestor-issued responses are now rejected.

Should you update?

Users who rely on OCSP revocation checking (--enable-ocsp / OCSP stapling) may want to consider updating to pick up this hardening, especially in PKI deployments with multi-tier CA hierarchies where a non-immediate ancestor could previously sign OCSP responses. Upgrading will require the reissuing of non-compliant responder certificates. Most standard setups where responses are signed by the issuing CA directly or by a correctly delegated responder will see no behavioral change.

If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now