Re: OCSP Responder

Mon, 03 Dec 2012 00:40:21 -0800 

On 11/30/2012 10:32 PM, Dave Thompson wrote:

...

Hint: OCSP transport is NOT SSL/TLS. It is HTTP-based.
In principle it can be HTTPS, but normally needn't
because it is signed and cert data is public anyway,
and OpenSSL commandline responder only does HTTP
(and a very minimal HTTP at that).

s_client (and s_server) implements SSL/TLS, not
full HTTPS and not HTTP at all.

commandline ocsp requester can send (HTTP or HTTPS) to the responder
and save the response, which you then verify. See the man page.

A real app (including a verify callback to use OCSP for SSL/TLS)
would need to send the request, verify the response, and then
actually use the contents of the response (if valid).


A real app will often have access to a quality HTTP(S) client library
already fully configured with proxy rules etc.  In fact that HTTP(S)
client library might even be using the same copy of OpenSSL for HTTPS
and HTTP+TLSUpgrade.



Using port 443 for OpenSSL responder which isn't HTTPS
is misleading. 80 if available would be consistent with
the protocol, but OpenSSL responder is not a general-purpose
webserver, so something like 1080 might be better.
The man page example uses 8888.


A much more sensible setup (in most cases) would be to invoke the
openssl ocsp responder as a backend to a real HTTP(S) server such as
Apache, when the request specifies the relevant URL, while other URLs
could return "normal" content such as CRLs, CA certs, policies,
introductory front pages and other stuff often published by CAs (much
of which will be referenced in various fields in issued certificates).


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to