[openssl-users] Why is this OCSP response reporting a hash using SHA1?
jb-openssl at wisemo.com
Tue Sep 12 14:08:04 UTC 2017
On 12/09/2017 15:56, Robert Moskowitz wrote:
> On 09/12/2017 09:38 AM, Robert Moskowitz wrote:
>> On 09/12/2017 09:09 AM, Dr. Stephen Henson wrote:
>>> On Mon, Sep 11, 2017, Robert Moskowitz wrote:
>>>> I would actually really like to have a SIMPLE OCSP responder. But
>>>> so far have not found one. freeIPA has one buried within it, but
>>>> that is too disruptive to install unless you buy into freeIPA.
>>> Well the OpenSSL ocsp respoder isn't much use for that, it only
>>> handles one
>>> request at a time, can't handle dynamic updates in the status
>>> (needs to be restarted), has pretty awful performance (reads status
>>> from a
>>> text file which resides in memory) and you can't tell it which
>>> interface to
>>> bind to either.
>>> There is a way to deal with some of those issues by running the ocsp
>>> from a CGI script in a web server. The script decodes the OCSP
>>> request, hands
>>> it to the ocsp utility and sends back the response. The down side is
>>> performance is worse: the OCSP utility has to parse the text file
>>> and read it
>>> into memory on every incoming request.
>> Yeah, I thought of the cgi (or php) approach and kind of cringed.
>> That is why I am still googling for OCSP responders. Rather
>> depressing how little is out there.
> I see ocspd available in Fedora. I will have to do a bit of
> reading.... Perhaps part of OpenCA,,,
Yes it's part of OpenCA, not sure of the OpenCA project status though.
Another standalone ocsp responder, which unfortunately seems to require
a complete Java environment and a Java driver to treat the cert list as
a "database" is the one from EJBCA.
EJBCA seems to be very actively maintained and some professionals
consider it the best CA implementation suite.
> Sometimes start in the 'obvious' starting point. Like your own OS
>> Also nice would be index.txt in SQL.
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users