[openssl-users] Why is this OCSP response reporting a hash using SHA1?
Robert Moskowitz
rgm at htt-consult.com
Tue Sep 12 13:56:15 UTC 2017
On 09/12/2017 09:38 AM, Robert Moskowitz wrote:
>
>
> On 09/12/2017 09:09 AM, Dr. Stephen Henson wrote:
>> On Mon, Sep 11, 2017, Robert Moskowitz wrote:
>>
>>> I would actually really like to have a SIMPLE OCSP responder. But
>>> so far have not found one. freeIPA has one buried within it, but
>>> that is too disruptive to install unless you buy into freeIPA.
>>>
>> Well the OpenSSL ocsp respoder isn't much use for that, it only
>> handles one
>> request at a time, can't handle dynamic updates in the status
>> information
>> (needs to be restarted), has pretty awful performance (reads status
>> from a
>> text file which resides in memory) and you can't tell it which
>> interface to
>> bind to either.
>>
>> There is a way to deal with some of those issues by running the ocsp
>> utility
>> from a CGI script in a web server. The script decodes the OCSP
>> request, hands
>> it to the ocsp utility and sends back the response. The down side is the
>> performance is worse: the OCSP utility has to parse the text file and
>> read it
>> into memory on every incoming request.
>
> Yeah, I thought of the cgi (or php) approach and kind of cringed. That
> is why I am still googling for OCSP responders. Rather depressing how
> little is out there.
I see ocspd available in Fedora. I will have to do a bit of
reading.... Perhaps part of OpenCA,,,
Sometimes start in the 'obvious' starting point. Like your own OS repo...
>
> Also nice would be index.txt in SQL.
>
> Bob
>
More information about the openssl-users
mailing list