[openssl-users] Why is this OCSP response reporting a hash using SHA1?

Jakob Bohm jb-openssl at wisemo.com
Tue Sep 12 14:08:04 UTC 2017

On 12/09/2017 15:56, Robert Moskowitz wrote:
> On 09/12/2017 09:38 AM, Robert Moskowitz wrote:
>> On 09/12/2017 09:09 AM, Dr. Stephen Henson wrote:
>>> On Mon, Sep 11, 2017, Robert Moskowitz wrote:
>>>> I would actually really like to have a SIMPLE OCSP responder.  But
>>>> so far have not found one.  freeIPA has one buried within it, but
>>>> that is too disruptive to install unless you buy into freeIPA.
>>> Well the OpenSSL ocsp respoder isn't much use for that, it only 
>>> handles one
>>> request at a time, can't handle dynamic updates in the status 
>>> information
>>> (needs to be restarted), has pretty awful performance (reads status 
>>> from a
>>> text file which resides in memory) and you can't tell it which 
>>> interface to
>>> bind to either.
>>> There is a way to deal with some of those issues by running the ocsp 
>>> utility
>>> from a CGI script in a web server. The script decodes the OCSP 
>>> request, hands
>>> it to the ocsp utility and sends back the response. The down side is 
>>> the
>>> performance is worse: the OCSP utility has to parse the text file 
>>> and read it
>>> into memory on every incoming request.
>> Yeah, I thought of the cgi (or php) approach and kind of cringed. 
>> That is why I am still googling for OCSP responders. Rather 
>> depressing how little is out there.
> I see ocspd available in Fedora.  I will have to do a bit of 
> reading....  Perhaps part of OpenCA,,,
Yes it's part of OpenCA, not sure of the OpenCA project status though.

Another standalone ocsp responder, which unfortunately seems to require
a complete Java environment and a Java driver to treat the cert list as
a "database" is the one from EJBCA.

EJBCA seems to be very actively maintained and some professionals
consider it the best CA implementation suite.

> Sometimes start in the 'obvious' starting point.  Like your own OS 
> repo...
>> Also nice would be index.txt in SQL.
>> Bob


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list