openssl ocsp utility does not send 'Host' header by default?
But why? Looks like this is bug.
If I remove '-verify_other chain.pem' from command line I got error:
Response Verify Failure
certificate not found:ocsp_vfy.c:92:
'man ocsp' tell what
file containing additional certificates to search
when attempting to locate the OCSP response signing
certificate. Some responders omit the actual signer's
certificate from the response: this option can be used
to supply the necessary certificate in such cases.
But why I need to provide '-verify_other chain.pem'
with issuer certificate?
As I understand, RFC 6960 tell what only issuer certificate
is required for OCSP response verification.
Looks like this is bug in OpenSSL library / openssl ocsp utility.