Hi Steve, On 2013-07-23, at 6:13 PM, Steven Madwin wrote:
> Hi Patrick, > > Both you and Dr. Henson have made it clear that the OCSP server > implementation is only to be used for testing. With that in mind, the server > implementation does act as a server and responds to inbound requests via > http in version 0.9x, but that functionality stopped working in version 1.0. >> From what I can gather from spending way too much time searching the web is > it has something to do with how v1.0 processes ipv6 instead of ipv4 and I'm > curious if you or anyone else has come up with a sharable work-around for > being able to use v1.x as an OCSP server? > Well, the work around that we came up with was that we followed the advice in the man page, and, for anything beyond prototyping, we wrote our own OCSP server that works reliably, and handles all of the various cases that are found in the real world. Cheers, Patrick. > Thanks, > Steve > > -----Original Message----- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Patrick Patterson > Sent: Thursday, July 18, 2013 9:35 AM > To: openssl-users@openssl.org > Subject: Re: OSCP server does not update status > > Hi there, > > One thing that, I think, the OCSP man page makes very clear is that the OCSP > server implementation is to be used for testing only, and not to be used for > any sort of "real-life" scenario. To get real-time updating based on changes > in the index.txt file from the CA, you'd have to write your own OCSP server > implementation. Other things that you have noticed (lack of concurrency, > etc.) are also only achievable if you write your own server. > > In short - the behaviour that you are seeing is exactly as is to be expected > from a tool that exists only for testing purposes. > > Have fun. > > Patrick. > > > On 2013-07-18, at 12:19 PM, redpath wrote: > >> I am testing some simple scenarios for the OSCP server. >> I have to stop and start the Server to know I revoked a cert. >> Here is my scenario. >> >> *I start the OSCP server* >> >> ocsp -index ./demoCA/index.txt -port 8082 -rsigner authocspsign.crt >> -rkey ocspsign.key -CA ./demoCA/cacert.pem -text >> >> >> *I check a cert* >> openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url >> http://127.0.0.1:8082 -CAfile cacert.pem >> >> *and its GOOD* >> >> *Then from a terminal I revoke a certificate* >> >> openssl ca -revoke ./demoCA/newcerts/1009.pem >> >> Using configuration from /usr/ssl/openssl.cnf Enter pass phrase for >> ./demoCA/private/cakey.pem: >> Revoking Certificate 1009. >> Data Base Updated >> >> *I check it again* >> >> openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url >> http://127.0.0.1:8082 -CAfile cacert.pem Response verify OK >> 0x1009: good >> This Update: Jul 18 16:13:02 2013 GMT >> >> *Not correct, it is revoked I looked at the index.txt. I stop and >> start the OSCP server again* >> >> *I check again* >> >> openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url >> http://127.0.0.1:8082 -CAfile cacert.pem Response verify OK >> 0x1009: revoked >> This Update: Jul 18 16:13:34 2013 GMT >> Revocation Time: Jul 18 16:12:18 2013 GMT >> >> *And results are expected REVOKED.* >> *So what is the best practice to get the OSCP server to update?* >> >> >> >> >> >> -- >> View this message in context: >> http://openssl.6102.n7.nabble.com/OSCP-server-does-not-update-status-t >> p45877.html Sent from the OpenSSL - User mailing list archive at >> Nabble.com. >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org > > --- > Patrick Patterson > Chief PKI Architect > Carillon Information Security Inc. > http://www.carillon.ca > > > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org --- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
