[openssl-users] Why is this OCSP response reporting a hash using SHA1?
Robert Moskowitz
rgm at htt-consult.com
Tue Sep 12 13:38:32 UTC 2017
On 09/12/2017 09:09 AM, Dr. Stephen Henson wrote:
> On Mon, Sep 11, 2017, Robert Moskowitz wrote:
>
>> I would actually really like to have a SIMPLE OCSP responder. But
>> so far have not found one. freeIPA has one buried within it, but
>> that is too disruptive to install unless you buy into freeIPA.
>>
> Well the OpenSSL ocsp respoder isn't much use for that, it only handles one
> request at a time, can't handle dynamic updates in the status information
> (needs to be restarted), has pretty awful performance (reads status from a
> text file which resides in memory) and you can't tell it which interface to
> bind to either.
>
> There is a way to deal with some of those issues by running the ocsp utility
> from a CGI script in a web server. The script decodes the OCSP request, hands
> it to the ocsp utility and sends back the response. The down side is the
> performance is worse: the OCSP utility has to parse the text file and read it
> into memory on every incoming request.
Yeah, I thought of the cgi (or php) approach and kind of cringed. That
is why I am still googling for OCSP responders. Rather depressing how
little is out there.
Also nice would be index.txt in SQL.
Bob
More information about the openssl-users
mailing list