Hello, I have been developing an application using OpenSSL that needs an OCSP responder, and for testing I use the following command to create the responder:
openssl ocsp -index ./CA/index.txt -port 8888 -rsigner ./CA_resp/certs/responder.pem -rkey ./CA_resp/private/server.key -CA ./CA/ca.pem My application was originally developed with OpenSSL 0.9.8o and worked just fine, but I recently moved to 1.0.0a and the application started failing to get a response. I spent some time looking at my application, but then I tried just running an OCSP request from the command line: openssl ocsp -host localhost:8888 -issuer ./CA/ca.pem -cert server.pem This failed with the following errors: Error connecting BIO Error querying OCSP responsder 9784056:error:0200206F:system library:connect:Connection refused:bss_conn.c:269:host=localhost:8888 9784056:error:20073067:BIO routines:CONN_STATE:connect error:bss_conn.c:273: This process works with 0.9.8o (same certs and command lines) and even doing an OCSP request from 1.0.0a to a 0.9.8o responder worked. A little digging led me to check the port (netstat -an | grep 8888) which showed that the responder in 1.0.0a was listening on "::1:8888" (IPv6 localhost), and the 0.9.8o responder was listening on "127.0.0.1:8888" (IPv4). I think that this may be at the heart of the problem. I tried rebuilding 1.0.0a from source with IPv6 disabled (config with -DOPENSSL_USE_IPV6=0) but the ocsp tool didn't work (another possible bug?) so I switched it back on. I haven't yet tried the newer 1.x versions but nothing in the changelog indicates this issue was found or fixed. Is this a real issue or am I missing something in my setup? I saw that s_server now has -4 and -6 flags to switch between IPv4 and IPv6, but the OCSP tool does not - could this be related to those changes? My development environment is Ubuntu 10.10 with gcc 4.4.5. Thanks! Tim
