[openssl-users] Why is this OCSP response reporting a hash using SHA1?

Robert Moskowitz rgm at htt-consult.com
Tue Sep 12 13:38:32 UTC 2017



On 09/12/2017 09:09 AM, Dr. Stephen Henson wrote:
> On Mon, Sep 11, 2017, Robert Moskowitz wrote:
>
>> I would actually really like to have a SIMPLE OCSP responder.  But
>> so far have not found one.  freeIPA has one buried within it, but
>> that is too disruptive to install unless you buy into freeIPA.
>>
> Well the OpenSSL ocsp respoder isn't much use for that, it only handles one
> request at a time, can't handle dynamic updates in the status information
> (needs to be restarted), has pretty awful performance (reads status from a
> text file which resides in memory) and you can't tell it which interface to
> bind to either.
>
> There is a way to deal with some of those issues by running the ocsp utility
> from a CGI script in a web server. The script decodes the OCSP request, hands
> it to the ocsp utility and sends back the response. The down side is the
> performance is worse: the OCSP utility has to parse the text file and read it
> into memory on every incoming request.

Yeah, I thought of the cgi (or php) approach and kind of cringed. That 
is why I am still googling for OCSP responders.  Rather depressing how 
little is out there.

Also nice would be index.txt in SQL.

Bob



More information about the openssl-users mailing list