Hi Patrick, Both you and Dr. Henson have made it clear that the OCSP server implementation is only to be used for testing. With that in mind, the server implementation does act as a server and responds to inbound requests via http in version 0.9x, but that functionality stopped working in version 1.0. >From what I can gather from spending way too much time searching the web is it has something to do with how v1.0 processes ipv6 instead of ipv4 and I'm curious if you or anyone else has come up with a sharable work-around for being able to use v1.x as an OCSP server?
Thanks, Steve -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Patrick Patterson Sent: Thursday, July 18, 2013 9:35 AM To: openssl-users@openssl.org Subject: Re: OSCP server does not update status Hi there, One thing that, I think, the OCSP man page makes very clear is that the OCSP server implementation is to be used for testing only, and not to be used for any sort of "real-life" scenario. To get real-time updating based on changes in the index.txt file from the CA, you'd have to write your own OCSP server implementation. Other things that you have noticed (lack of concurrency, etc.) are also only achievable if you write your own server. In short - the behaviour that you are seeing is exactly as is to be expected from a tool that exists only for testing purposes. Have fun. Patrick. On 2013-07-18, at 12:19 PM, redpath wrote: > I am testing some simple scenarios for the OSCP server. > I have to stop and start the Server to know I revoked a cert. > Here is my scenario. > > *I start the OSCP server* > > ocsp -index ./demoCA/index.txt -port 8082 -rsigner authocspsign.crt > -rkey ocspsign.key -CA ./demoCA/cacert.pem -text > > > *I check a cert* > openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url > http://127.0.0.1:8082 -CAfile cacert.pem > > *and its GOOD* > > *Then from a terminal I revoke a certificate* > > openssl ca -revoke ./demoCA/newcerts/1009.pem > > Using configuration from /usr/ssl/openssl.cnf Enter pass phrase for > ./demoCA/private/cakey.pem: > Revoking Certificate 1009. > Data Base Updated > > *I check it again* > > openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url > http://127.0.0.1:8082 -CAfile cacert.pem Response verify OK > 0x1009: good > This Update: Jul 18 16:13:02 2013 GMT > > *Not correct, it is revoked I looked at the index.txt. I stop and > start the OSCP server again* > > *I check again* > > openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url > http://127.0.0.1:8082 -CAfile cacert.pem Response verify OK > 0x1009: revoked > This Update: Jul 18 16:13:34 2013 GMT > Revocation Time: Jul 18 16:12:18 2013 GMT > > *And results are expected REVOKED.* > *So what is the best practice to get the OSCP server to update?* > > > > > > -- > View this message in context: > http://openssl.6102.n7.nabble.com/OSCP-server-does-not-update-status-t > p45877.html Sent from the OpenSSL - User mailing list archive at > Nabble.com. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org --- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
smime.p7s
Description: S/MIME cryptographic signature
