Re: Why is this OCSP response reporting a hash using SHA1?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/09/2017 15:56, Robert Moskowitz wrote:


On 09/12/2017 09:38 AM, Robert Moskowitz wrote:


On 09/12/2017 09:09 AM, Dr. Stephen Henson wrote:
On Mon, Sep 11, 2017, Robert Moskowitz wrote:

I would actually really like to have a SIMPLE OCSP responder.  But
so far have not found one.  freeIPA has one buried within it, but
that is too disruptive to install unless you buy into freeIPA.

Well the OpenSSL ocsp respoder isn't much use for that, it only handles one request at a time, can't handle dynamic updates in the status information (needs to be restarted), has pretty awful performance (reads status from a text file which resides in memory) and you can't tell it which interface to
bind to either.

There is a way to deal with some of those issues by running the ocsp utility from a CGI script in a web server. The script decodes the OCSP request, hands it to the ocsp utility and sends back the response. The down side is the performance is worse: the OCSP utility has to parse the text file and read it
into memory on every incoming request.

Yeah, I thought of the cgi (or php) approach and kind of cringed. That is why I am still googling for OCSP responders. Rather depressing how little is out there.
I see ocspd available in Fedora.  I will have to do a bit of reading....  Perhaps part of OpenCA,,,

Yes it's part of OpenCA, not sure of the OpenCA project status though.

Another standalone ocsp responder, which unfortunately seems to require
a complete Java environment and a Java driver to treat the cert list as
a "database" is the one from EJBCA.

EJBCA seems to be very actively maintained and some professionals
consider it the best CA implementation suite.

Sometimes start in the 'obvious' starting point.  Like your own OS repo...



Also nice would be index.txt in SQL.

Bob



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux