On 22/09/2017 18:32, Richard Moore wrote:
On 22 September 2017 at 15:08, Salz, Rich via openssl-users <openssl-users@xxxxxxxxxxx <mailto:openssl-users@xxxxxxxxxxx>> wrote:Openssl 0.9.8 is old and obsolete and has security issues; you should upgrade. But even if you upgrade, the ocsp command will not listen on HTTPS; that is not supported.It's also worth pointing out that CAs are banned from running OCSP servers over HTTPS anyway and it isn't needed since the responses are already signed - http is fine.
That particular ban has an interesting backstory of bureaucratic decisions that seem misguided in retrospect. The problem is that the information in OCSP requests is potentially very valuable to an attacker who lacks the ability to fully wiretap the connections between the OCSP client and the ultimate source of the checked certificate. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
