[openssl-users] Why is this OCSP response reporting a hash using SHA1?
Dr. Stephen Henson
steve at openssl.org
Tue Sep 12 13:09:18 UTC 2017
On Mon, Sep 11, 2017, Robert Moskowitz wrote:
>
> I would actually really like to have a SIMPLE OCSP responder. But
> so far have not found one. freeIPA has one buried within it, but
> that is too disruptive to install unless you buy into freeIPA.
>
Well the OpenSSL ocsp respoder isn't much use for that, it only handles one
request at a time, can't handle dynamic updates in the status information
(needs to be restarted), has pretty awful performance (reads status from a
text file which resides in memory) and you can't tell it which interface to
bind to either.
There is a way to deal with some of those issues by running the ocsp utility
from a CGI script in a web server. The script decodes the OCSP request, hands
it to the ocsp utility and sends back the response. The down side is the
performance is worse: the OCSP utility has to parse the text file and read it
into memory on every incoming request.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-users
mailing list