On Mon, Sep 11, 2017, Robert Moskowitz wrote: > > I would actually really like to have a SIMPLE OCSP responder. But > so far have not found one. freeIPA has one buried within it, but > that is too disruptive to install unless you buy into freeIPA. > Well the OpenSSL ocsp respoder isn't much use for that, it only handles one request at a time, can't handle dynamic updates in the status information (needs to be restarted), has pretty awful performance (reads status from a text file which resides in memory) and you can't tell it which interface to bind to either. There is a way to deal with some of those issues by running the ocsp utility from a CGI script in a web server. The script decodes the OCSP request, hands it to the ocsp utility and sends back the response. The down side is the performance is worse: the OCSP utility has to parse the text file and read it into memory on every incoming request. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
