the program uses its own verification callback, which runs during the TLS handshake (this overrides the default callback) Docs
it is, therefore, necessary to manually verify the certificates, check the hostname, and only then check the revocation statuses of the certificates (done) Docs
the revocation check takes place for all certificates in the chain (except for the root certificate and whenever possible - for example, if OCSP-stapling does not send a stapled OCSP Response, then no verification could be done)
Actual problems:
random nonce manually added to the OCSP Request, but not present in the OCSP Response (responder does not include the nonce extension)
OCSP stapling sending only stapled response for leaf server's certificate (currently don't know if it is even possible to configure)
Dependencies required to run the program:
Side notes:
Actual problems: