[openssl-users] Why is this OCSP response reporting a hash using SHA1?

Robert Moskowitz rgm at htt-consult.com
Tue Sep 12 13:56:15 UTC 2017



On 09/12/2017 09:38 AM, Robert Moskowitz wrote:
>
>
> On 09/12/2017 09:09 AM, Dr. Stephen Henson wrote:
>> On Mon, Sep 11, 2017, Robert Moskowitz wrote:
>>
>>> I would actually really like to have a SIMPLE OCSP responder.  But
>>> so far have not found one.  freeIPA has one buried within it, but
>>> that is too disruptive to install unless you buy into freeIPA.
>>>
>> Well the OpenSSL ocsp respoder isn't much use for that, it only 
>> handles one
>> request at a time, can't handle dynamic updates in the status 
>> information
>> (needs to be restarted), has pretty awful performance (reads status 
>> from a
>> text file which resides in memory) and you can't tell it which 
>> interface to
>> bind to either.
>>
>> There is a way to deal with some of those issues by running the ocsp 
>> utility
>> from a CGI script in a web server. The script decodes the OCSP 
>> request, hands
>> it to the ocsp utility and sends back the response. The down side is the
>> performance is worse: the OCSP utility has to parse the text file and 
>> read it
>> into memory on every incoming request.
>
> Yeah, I thought of the cgi (or php) approach and kind of cringed. That 
> is why I am still googling for OCSP responders.  Rather depressing how 
> little is out there.
I see ocspd available in Fedora.  I will have to do a bit of 
reading....  Perhaps part of OpenCA,,,

Sometimes start in the 'obvious' starting point.  Like your own OS repo...


>
> Also nice would be index.txt in SQL.
>
> Bob
>



More information about the openssl-users mailing list