Hi list, I successfully set up ocspd with data from 9 CAs as a single point of revokation data. I left most of the general options in ocspd.conf at their defaults. After starting the daemon, everything works as expected. A regular check (a Nagios check script which issues a request via openssl ocsp) shows whether the daemon is responding and the response contains the expected data. Now, after increasing usage of ocsp by local applications, after running for a while the daemon starts adding invalid signatures to its responses. A restart fixes the problem for another while, which can be days or just an hour. The Nagios check, running every few minutes, doesn't seem to trigger the problem, since until now it only occurs at daytimes. The logs (daemon is always started with -verbose) don't really tell a big story - there's no difference in the entries before, while and after the problem occurs. Trying to circumvent possible problems with temporary network or ca server outages, I switched from getting the crl info via HTTP to local files, regularly pulled by a separate script - but no success. The behaviour is the same as before. So, I think I need a little help from the list: What can cause the signatures suddenly become invalid and how to prevent this? Could this be an obscure bug in ocspd, maybe in conjunction with threading?
seBASStian ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
