[openssl-users] OCSP: ocsp.omniroot.com/baltimore/... - what is it exactly?
Salz, Rich
rsalz at akamai.com
Thu Apr 30 20:11:33 UTC 2015
> My webserver is getting flooded with queries like:
>
> ocsp.omniroot.com 124.205.254.7 - - [30/Apr/2015:19:24:30 +0200] "GET
> /baltimoreroot/MEowSKADAgEAMEEwPzA9MAkGBSsOAwIaBQAEFMEvRXbt
> FVnssF26ib%2BdgHjlI9QTBBTlnVkwgkdYzKz6CFQ2hns6tQRN8AIEByekag%3D
> %3D
> HTTP/1.1" 301 184 "-" "ocspd/1.0.3"
Well, that stinks.
url-decoding (%2b is + and %3d is =), and then base64 decoding it can give you the OCSP request:
; ./openssl ocsp -text -reqin x.der
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: C12F4576ED1559ECB05DBA89BF9D8078E523D413
Issuer Key Hash: E59D5930824758CCACFA085436867B3AB5044DF0
Serial Number: 0727A46A
> Is it possible to say what "Common name / fqdn / certificate" is queried in
> such requests?
Not really. The protocol assumes that the requestor has the cert, and the server has the serial#, so the protocol sends the minimal information.
Sorry.
More information about the openssl-users
mailing list