[openssl-users] How can I sstart openssl ocsp in secure mode using TLS/SSL

Jakob Bohm jb-openssl at wisemo.com
Tue Sep 26 00:52:17 UTC 2017

On 22/09/2017 18:32, Richard Moore wrote:
> On 22 September 2017 at 15:08, Salz, Rich via openssl-users 
> <openssl-users at openssl.org <mailto:openssl-users at openssl.org>> wrote:
>     Openssl 0.9.8 is old and obsolete and has security issues; you
>     should upgrade.
>     But even if you upgrade, the ocsp command will not listen on
>     HTTPS; that is not supported.
> ​It's also worth pointing out that CAs are banned from running OCSP 
> servers over HTTPS anyway and it isn't needed since the responses are 
> already signed - http is fine.
That particular ban has an interesting backstory of bureaucratic
decisions that seem misguided in retrospect.

The problem is that the information in OCSP requests is potentially
very valuable to an attacker who lacks the ability to fully wiretap
the connections between the OCSP client and the ultimate source of
the checked certificate.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list