Hi,
> Basscontrol writes:
>> > The workaround for the OCSP responder has minimized the impact of the
>> > stability problems,
>
> Which workaround do you use right now?
> We'll implement OCSP in a production environment very soon and it'd be
> very good if it would be stable under high load.
>
> Please provide me that workaround.
>
Update:
While using the latest "official" release (1.5.1-rc1), I stumbled upon a
non announced OCSPd version on the ftp server:
http://ftp.openca.org/openca-ocspd/releases/v1.9.0/sources/openca-ocspd-1.9.0.tar.gz
The changelog says, work has been done to fix a problem with threading.
Maybe, this fixes the annoying response signature problem on my busy
server.
For testing, I had to modify ocspd.conf. I added
http_proto = 1.0
and a line
server_cert = file:///usr/local/ocspd/etc/ocspd/certs/ocspd_cert.pem
for every ca instance.
Without http_proto = 1.0, the daemon was hanging at start while requesting
ca certificates and crls via http. Every connection was stuck until the
webserver at the other end terminated it (after a timout expired).
It seems, the http client code doesn't terminate the connections it
initiated, even if it received the complete object.
For the HTTP 1.0 header to really work, a small patch was necessary:
--- ocspd.c.orig 2009-06-08 19:24:05.000000000 +0200
+++ ocspd.c 2010-06-14 12:12:57.000000000 +0200
@@ -525,9 +525,12 @@
/* HTTP protocol version to be used when requesting objects */
if ((ocspd_conf->http_proto = NCONF_get_string(ocspd_conf->conf,
section, ENV_OCSPD_HTTP_PROTO)) == NULL) {
- } else {
+ if( verbose )
+ lookup_fail(section,ENV_OCSPD_HTTP_PROTO);
ocspd_conf->http_proto = OCSP_DEFAULT_HTTP_PROTO;
- }
+ } /*else {
+ ocspd_conf->http_proto = ENV_OCSP_HTTP_PROTO;
+ }*/
/* Maximum timeout allowed for network operations */
if ((max_timeout_s == NULL) && ((max_timeout_s =
NCONF_get_string(ocspd_conf->conf,
This forces HTTP1.0 headers in the requests, thus the server terminates
the connection immediately after sending an object.
Now, I'm testing this version, which seems to work so far. Whether the
response signature issues are fixed, I'll be able to tell in a few days.
seBASStian
------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit. See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
