Details
-
Bug
-
Resolution: Unresolved
-
P3: Somewhat important
-
None
-
5.15.7, 6.2.2
-
None
Description
We tried to enforce OCSP-Stapling for all TLS connections. It works but there is no OCSP-Response in a session resumption that Qt handles itself with QNetworkAccessManager. So we get a QSslError::OcspNoResponseFound error for this even we received a valid one for the initial connection.
I looked into the tls handshake with wireshark and I saw that Qt correctly requests the status information. The server (Apache and Caddy tested) returns the OCSP-Response with a new connection only. This makes OCSP-Stapling a little bit "useless".
Is it possible that Qt handle a session resumption for OCSP-Stapling? So it would use the old OCSP-Response and checks if it is still valid for the resumed session.