[openssl-users] Why is this OCSP response reporting a hash using SHA1?
Jakob Bohm
jb-openssl at wisemo.com
Tue Sep 12 14:08:04 UTC 2017
On 12/09/2017 15:56, Robert Moskowitz wrote:
>
>
> On 09/12/2017 09:38 AM, Robert Moskowitz wrote:
>>
>>
>> On 09/12/2017 09:09 AM, Dr. Stephen Henson wrote:
>>> On Mon, Sep 11, 2017, Robert Moskowitz wrote:
>>>
>>>> I would actually really like to have a SIMPLE OCSP responder. But
>>>> so far have not found one. freeIPA has one buried within it, but
>>>> that is too disruptive to install unless you buy into freeIPA.
>>>>
>>> Well the OpenSSL ocsp respoder isn't much use for that, it only
>>> handles one
>>> request at a time, can't handle dynamic updates in the status
>>> information
>>> (needs to be restarted), has pretty awful performance (reads status
>>> from a
>>> text file which resides in memory) and you can't tell it which
>>> interface to
>>> bind to either.
>>>
>>> There is a way to deal with some of those issues by running the ocsp
>>> utility
>>> from a CGI script in a web server. The script decodes the OCSP
>>> request, hands
>>> it to the ocsp utility and sends back the response. The down side is
>>> the
>>> performance is worse: the OCSP utility has to parse the text file
>>> and read it
>>> into memory on every incoming request.
>>
>> Yeah, I thought of the cgi (or php) approach and kind of cringed.
>> That is why I am still googling for OCSP responders. Rather
>> depressing how little is out there.
> I see ocspd available in Fedora. I will have to do a bit of
> reading.... Perhaps part of OpenCA,,,
>
Yes it's part of OpenCA, not sure of the OpenCA project status though.
Another standalone ocsp responder, which unfortunately seems to require
a complete Java environment and a Java driver to treat the cert list as
a "database" is the one from EJBCA.
EJBCA seems to be very actively maintained and some professionals
consider it the best CA implementation suite.
> Sometimes start in the 'obvious' starting point. Like your own OS
> repo...
>
>
>>
>> Also nice would be index.txt in SQL.
>>
>> Bob
>>
>
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list