On 09/12/2017 09:38 AM, Robert Moskowitz wrote:
On 09/12/2017 09:09 AM, Dr. Stephen Henson wrote:
On Mon, Sep 11, 2017, Robert Moskowitz wrote:
I would actually really like to have a SIMPLE OCSP responder. But
so far have not found one. freeIPA has one buried within it, but
that is too disruptive to install unless you buy into freeIPA.
Well the OpenSSL ocsp respoder isn't much use for that, it only
handles one
request at a time, can't handle dynamic updates in the status
information
(needs to be restarted), has pretty awful performance (reads status
from a
text file which resides in memory) and you can't tell it which
interface to
bind to either.
There is a way to deal with some of those issues by running the ocsp
utility
from a CGI script in a web server. The script decodes the OCSP
request, hands
it to the ocsp utility and sends back the response. The down side is the
performance is worse: the OCSP utility has to parse the text file and
read it
into memory on every incoming request.
Yeah, I thought of the cgi (or php) approach and kind of cringed. That
is why I am still googling for OCSP responders. Rather depressing how
little is out there.
I see ocspd available in Fedora. I will have to do a bit of
reading.... Perhaps part of OpenCA,,,
Sometimes start in the 'obvious' starting point. Like your own OS repo...
Also nice would be index.txt in SQL.
Bob
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
