On 09/12/2017 09:09 AM, Dr. Stephen Henson wrote:
On Mon, Sep 11, 2017, Robert Moskowitz wrote:
I would actually really like to have a SIMPLE OCSP responder. But
so far have not found one. freeIPA has one buried within it, but
that is too disruptive to install unless you buy into freeIPA.
Well the OpenSSL ocsp respoder isn't much use for that, it only handles one
request at a time, can't handle dynamic updates in the status information
(needs to be restarted), has pretty awful performance (reads status from a
text file which resides in memory) and you can't tell it which interface to
bind to either.
There is a way to deal with some of those issues by running the ocsp utility
from a CGI script in a web server. The script decodes the OCSP request, hands
it to the ocsp utility and sends back the response. The down side is the
performance is worse: the OCSP utility has to parse the text file and read it
into memory on every incoming request.
Yeah, I thought of the cgi (or php) approach and kind of cringed. That
is why I am still googling for OCSP responders. Rather depressing how
little is out there.
Also nice would be index.txt in SQL.
Bob
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
