Re: Why is this OCSP response reporting a hash using SHA1?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 09/12/2017 09:38 AM, Robert Moskowitz wrote:


On 09/12/2017 09:09 AM, Dr. Stephen Henson wrote:
On Mon, Sep 11, 2017, Robert Moskowitz wrote:

I would actually really like to have a SIMPLE OCSP responder.  But
so far have not found one.  freeIPA has one buried within it, but
that is too disruptive to install unless you buy into freeIPA.

Well the OpenSSL ocsp respoder isn't much use for that, it only handles one request at a time, can't handle dynamic updates in the status information (needs to be restarted), has pretty awful performance (reads status from a text file which resides in memory) and you can't tell it which interface to
bind to either.

There is a way to deal with some of those issues by running the ocsp utility from a CGI script in a web server. The script decodes the OCSP request, hands
it to the ocsp utility and sends back the response. The down side is the
performance is worse: the OCSP utility has to parse the text file and read it
into memory on every incoming request.

Yeah, I thought of the cgi (or php) approach and kind of cringed. That is why I am still googling for OCSP responders. Rather depressing how little is out there.
I see ocspd available in Fedora. I will have to do a bit of reading.... Perhaps part of OpenCA,,,

Sometimes start in the 'obvious' starting point.  Like your own OS repo...



Also nice would be index.txt in SQL.

Bob


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux