[openssl-users] Why is this OCSP response reporting a hash using SHA1?

Dr. Stephen Henson steve at openssl.org
Tue Sep 12 13:09:18 UTC 2017

On Mon, Sep 11, 2017, Robert Moskowitz wrote:

> I would actually really like to have a SIMPLE OCSP responder.  But
> so far have not found one.  freeIPA has one buried within it, but
> that is too disruptive to install unless you buy into freeIPA.

Well the OpenSSL ocsp respoder isn't much use for that, it only handles one
request at a time, can't handle dynamic updates in the status information
(needs to be restarted), has pretty awful performance (reads status from a
text file which resides in memory) and you can't tell it which interface to
bind to either.

There is a way to deal with some of those issues by running the ocsp utility
from a CGI script in a web server. The script decodes the OCSP request, hands
it to the ocsp utility and sends back the response. The down side is the
performance is worse: the OCSP utility has to parse the text file and read it
into memory on every incoming request.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list