Hi to everybody! I'm working in a project that needs to have a daemon that offers ocsp responder service.
I'm running the server as is indicated in the openssl web page: openssl ocsp -index index_file.txt -CA ca-cert.pem -rsigner rsigner_cert -rkey rsigner_key -port 8888 -text -out log.txt If I send an ocsp petition to the server the server answers correct the response to the client. My problem is that ocsp only reads one time, at the first petition, the index file, so if I create a new cert, the ocsp will not know about that, and the same if I revoke one cert. As I know, the principal diference between CRLs and OCSP is that OCSP is always up to date, and so I would like that for every connection the index is readed. I think this should be the correct way isn't it? I have been looking at the code and the line responsible of this behaviour is this line: apps/ocsp.c:707 if (ridx_filename && !rdb) if rdb is not null the index will never be read, so the server only consults one time the index file in all execution. It's this a desired feature? I will correct this line for: apps/ocsp.c:707 if (ridx_filename) So on every connection the index is updated. What do you think? Thank you very much, -- Marc Rios Vallès [email protected] C3PO, S.A. http://www.c3po.es C/ Alejandro Goicoechea, 6 Local 9 - 08960 St. Just Desvern, Barcelona Tel. 93 417 99 55 - Fax 93 253 12 80
