[openssl-users] OCSP: ocsp.omniroot.com/baltimore/... - what is it exactly?
This might not be very relevant to OpenSSL, but I'm not sure if there is any better list for this question... My webserver is getting flooded with queries like: ocsp.omniroot.com 124.205.254.7 - - [30/Apr/2015:19:24:30 +0200] GET /baltimoreroot/MEowSKADAgEAMEEwPzA9MAkGBSsOAwIaBQAEFMEvRXbtFVnssF26ib%2BdgHjlI9QTBBTlnVkwgkdYzKz6CFQ2hns6tQRN8AIEByekag%3D%3D HTTP/1.1 301 184 - ocspd/1.0.3 ocsp.omniroot.com 222.161.249.75 - - [30/Apr/2015:19:24:33 +0200] GET /baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACBAcnqkc%3D HTTP/1.1 301 184 - Microsoft-CryptoAPI/6.1 If I understand it right, because the query was sent to my server (China's Great Firewall DNS poisoning at works), and not to original ocsp.omniroot.com, somebody's browser or device was not able to verify if the certificate is still valid or not - am I correct here? Is it possible to say what Common name / fqdn / certificate is queried in such requests? Tomasz Chmielewski ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OCSP: ocsp.omniroot.com/baltimore/... - what is it exactly?
Bonjour, Le 30/04/2015 19:44, Tomasz Chmielewski a écrit : This might not be very relevant to OpenSSL, but I'm not sure if there is any better list for this question... My webserver is getting flooded with queries like: ocsp.omniroot.com 124.205.254.7 - - [30/Apr/2015:19:24:30 +0200] GET /baltimoreroot/MEowSKADAgEAMEEwPzA9MAkGBSsOAwIaBQAEFMEvRXbtFVnssF26ib%2BdgHjlI9QTBBTlnVkwgkdYzKz6CFQ2hns6tQRN8AIEByekag%3D%3D HTTP/1.1 301 184 - ocspd/1.0.3 ocsp.omniroot.com 222.161.249.75 - - [30/Apr/2015:19:24:33 +0200] GET /baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACBAcnqkc%3D HTTP/1.1 301 184 - Microsoft-CryptoAPI/6.1 If I understand it right, because the query was sent to my server (China's Great Firewall DNS poisoning at works), and not to original ocsp.omniroot.com, somebody's browser or device was not able to verify if the certificate is still valid or not - am I correct here? I don't remember the exact behaviour of the first client (I guess it's an Apple machine) on receiving this answer. For the Microsoft one, the client will try to get the CRL, and should also try a POST request to the OCSP responder, but I don't remember which one is tried first. Is it possible to say what Common name / fqdn / certificate is queried in such requests? Not directly. The first request asks for the status of certificate whose serial number is 0x0727A46A, the second for the certificate with serial number 0x0727AA47, both certificates are issued under the same CA, this CA is the root C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root. If you can crawl a certificates database (there are several out there), you can probably find the exact requested certificate (it should be a CA, too). ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OCSP: ocsp.omniroot.com/baltimore/... - what is it exactly?
My webserver is getting flooded with queries like: ocsp.omniroot.com 124.205.254.7 - - [30/Apr/2015:19:24:30 +0200] GET /baltimoreroot/MEowSKADAgEAMEEwPzA9MAkGBSsOAwIaBQAEFMEvRXbt FVnssF26ib%2BdgHjlI9QTBBTlnVkwgkdYzKz6CFQ2hns6tQRN8AIEByekag%3D %3D HTTP/1.1 301 184 - ocspd/1.0.3 Well, that stinks. url-decoding (%2b is + and %3d is =), and then base64 decoding it can give you the OCSP request: ; ./openssl ocsp -text -reqin x.der OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: C12F4576ED1559ECB05DBA89BF9D8078E523D413 Issuer Key Hash: E59D5930824758CCACFA085436867B3AB5044DF0 Serial Number: 0727A46A Is it possible to say what Common name / fqdn / certificate is queried in such requests? Not really. The protocol assumes that the requestor has the cert, and the server has the serial#, so the protocol sends the minimal information. Sorry. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users