> My webserver is getting flooded with queries like: > > ocsp.omniroot.com 124.205.254.7 - - [30/Apr/2015:19:24:30 +0200] "GET > /baltimoreroot/MEowSKADAgEAMEEwPzA9MAkGBSsOAwIaBQAEFMEvRXbt > FVnssF26ib%2BdgHjlI9QTBBTlnVkwgkdYzKz6CFQ2hns6tQRN8AIEByekag%3D > %3D > HTTP/1.1" 301 184 "-" "ocspd/1.0.3" Well, that stinks. url-decoding (%2b is + and %3d is =), and then base64 decoding it can give you the OCSP request: ; ./openssl ocsp -text -reqin x.der OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: C12F4576ED1559ECB05DBA89BF9D8078E523D413 Issuer Key Hash: E59D5930824758CCACFA085436867B3AB5044DF0 Serial Number: 0727A46A > Is it possible to say what "Common name / fqdn / certificate" is queried in > such requests? Not really. The protocol assumes that the requestor has the cert, and the server has the serial#, so the protocol sends the minimal information. Sorry.