RE: OSCP server does not update status
I am using OpenSSL version OpenSSL 1.0.1e 11 Feb 2013 and the ocsp works fine. openssl ocsp -index ./demoCA/index.txt -port 8082 -rsigner authocspsign.crt -rkey ocspsign.key -CA ./demoCA/cacert.pem -text and I issue a request and get a response nicely. But then I am using char *url= "http://127.0.0.1:8082";; for testing. -- View this message in context: http://openssl.6102.n7.nabble.com/OSCP-server-does-not-update-status-tp45877p45992.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OSCP server does not update status
Hi Steve, On 2013-07-23, at 6:13 PM, Steven Madwin wrote: > Hi Patrick, > > Both you and Dr. Henson have made it clear that the OCSP server > implementation is only to be used for testing. With that in mind, the server > implementation does act as a server and responds to inbound requests via > http in version 0.9x, but that functionality stopped working in version 1.0. >> From what I can gather from spending way too much time searching the web is > it has something to do with how v1.0 processes ipv6 instead of ipv4 and I'm > curious if you or anyone else has come up with a sharable work-around for > being able to use v1.x as an OCSP server? > Well, the work around that we came up with was that we followed the advice in the man page, and, for anything beyond prototyping, we wrote our own OCSP server that works reliably, and handles all of the various cases that are found in the real world. Cheers, Patrick. > Thanks, > Steve > > -Original Message- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Patrick Patterson > Sent: Thursday, July 18, 2013 9:35 AM > To: openssl-users@openssl.org > Subject: Re: OSCP server does not update status > > Hi there, > > One thing that, I think, the OCSP man page makes very clear is that the OCSP > server implementation is to be used for testing only, and not to be used for > any sort of "real-life" scenario. To get real-time updating based on changes > in the index.txt file from the CA, you'd have to write your own OCSP server > implementation. Other things that you have noticed (lack of concurrency, > etc.) are also only achievable if you write your own server. > > In short - the behaviour that you are seeing is exactly as is to be expected > from a tool that exists only for testing purposes. > > Have fun. > > Patrick. > > > On 2013-07-18, at 12:19 PM, redpath wrote: > >> I am testing some simple scenarios for the OSCP server. >> I have to stop and start the Server to know I revoked a cert. >> Here is my scenario. >> >> *I start the OSCP server* >> >> ocsp -index ./demoCA/index.txt -port 8082 -rsigner authocspsign.crt >> -rkey ocspsign.key -CA ./demoCA/cacert.pem -text >> >> >> *I check a cert* >> openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url >> http://127.0.0.1:8082 -CAfile cacert.pem >> >> *and its GOOD* >> >> *Then from a terminal I revoke a certificate* >> >> openssl ca -revoke ./demoCA/newcerts/1009.pem >> >> Using configuration from /usr/ssl/openssl.cnf Enter pass phrase for >> ./demoCA/private/cakey.pem: >> Revoking Certificate 1009. >> Data Base Updated >> >> *I check it again* >> >> openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url >> http://127.0.0.1:8082 -CAfile cacert.pem Response verify OK >> 0x1009: good >> This Update: Jul 18 16:13:02 2013 GMT >> >> *Not correct, it is revoked I looked at the index.txt. I stop and >> start the OSCP server again* >> >> *I check again* >> >> openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url >> http://127.0.0.1:8082 -CAfile cacert.pem Response verify OK >> 0x1009: revoked >> This Update: Jul 18 16:13:34 2013 GMT >> Revocation Time: Jul 18 16:12:18 2013 GMT >> >> *And results are expected REVOKED.* >> *So what is the best practice to get the OSCP server to update?* >> >> >> >> >> >> -- >> View this message in context: >> http://openssl.6102.n7.nabble.com/OSCP-server-does-not-update-status-t >> p45877.html Sent from the OpenSSL - User mailing list archive at >> Nabble.com. >> __ >> OpenSSL Project http://www.openssl.org >> User Support Mailing Listopenssl-users@openssl.org >> Automated List Manager majord...@openssl.org > > --- > Patrick Patterson > Chief PKI Architect > Carillon Information Security Inc. > http://www.carillon.ca > > > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org --- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: OSCP server does not update status
Hi Patrick, Both you and Dr. Henson have made it clear that the OCSP server implementation is only to be used for testing. With that in mind, the server implementation does act as a server and responds to inbound requests via http in version 0.9x, but that functionality stopped working in version 1.0. >From what I can gather from spending way too much time searching the web is it has something to do with how v1.0 processes ipv6 instead of ipv4 and I'm curious if you or anyone else has come up with a sharable work-around for being able to use v1.x as an OCSP server? Thanks, Steve -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Patrick Patterson Sent: Thursday, July 18, 2013 9:35 AM To: openssl-users@openssl.org Subject: Re: OSCP server does not update status Hi there, One thing that, I think, the OCSP man page makes very clear is that the OCSP server implementation is to be used for testing only, and not to be used for any sort of "real-life" scenario. To get real-time updating based on changes in the index.txt file from the CA, you'd have to write your own OCSP server implementation. Other things that you have noticed (lack of concurrency, etc.) are also only achievable if you write your own server. In short - the behaviour that you are seeing is exactly as is to be expected from a tool that exists only for testing purposes. Have fun. Patrick. On 2013-07-18, at 12:19 PM, redpath wrote: > I am testing some simple scenarios for the OSCP server. > I have to stop and start the Server to know I revoked a cert. > Here is my scenario. > > *I start the OSCP server* > > ocsp -index ./demoCA/index.txt -port 8082 -rsigner authocspsign.crt > -rkey ocspsign.key -CA ./demoCA/cacert.pem -text > > > *I check a cert* > openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url > http://127.0.0.1:8082 -CAfile cacert.pem > > *and its GOOD* > > *Then from a terminal I revoke a certificate* > > openssl ca -revoke ./demoCA/newcerts/1009.pem > > Using configuration from /usr/ssl/openssl.cnf Enter pass phrase for > ./demoCA/private/cakey.pem: > Revoking Certificate 1009. > Data Base Updated > > *I check it again* > > openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url > http://127.0.0.1:8082 -CAfile cacert.pem Response verify OK > 0x1009: good > This Update: Jul 18 16:13:02 2013 GMT > > *Not correct, it is revoked I looked at the index.txt. I stop and > start the OSCP server again* > > *I check again* > > openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url > http://127.0.0.1:8082 -CAfile cacert.pem Response verify OK > 0x1009: revoked > This Update: Jul 18 16:13:34 2013 GMT > Revocation Time: Jul 18 16:12:18 2013 GMT > > *And results are expected REVOKED.* > *So what is the best practice to get the OSCP server to update?* > > > > > > -- > View this message in context: > http://openssl.6102.n7.nabble.com/OSCP-server-does-not-update-status-t > p45877.html Sent from the OpenSSL - User mailing list archive at > Nabble.com. > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org --- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org smime.p7s Description: S/MIME cryptographic signature
RE: OSCP server does not update status
> Is there a standard to revoke a cert with a request to an OCSP. Nothing part of OCSP. There are various other standards around (e.g., XKMS from W3C, KMIP from OASIS) but they're nowhere near as widely used. /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OSCP server does not update status
Is there a standard to revoke a cert with a request to an OCSP. I know to check status for an OCSP request works nicely using the OpenSSL API and is standard RFC6960. I would think not for security issues. Or is it simply a particular to what OSCP server product you decided to use and allow admins to administer the revocation of certs. -- View this message in context: http://openssl.6102.n7.nabble.com/OSCP-server-does-not-update-status-tp45877p45881.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OSCP server does not update status
Far enough thats good to know. Will use for testing only the OCSP request construction and return information parsing. -- View this message in context: http://openssl.6102.n7.nabble.com/OSCP-server-does-not-update-status-tp45877p45880.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OSCP server does not update status
Hi there, One thing that, I think, the OCSP man page makes very clear is that the OCSP server implementation is to be used for testing only, and not to be used for any sort of "real-life" scenario. To get real-time updating based on changes in the index.txt file from the CA, you'd have to write your own OCSP server implementation. Other things that you have noticed (lack of concurrency, etc.) are also only achievable if you write your own server. In short - the behaviour that you are seeing is exactly as is to be expected from a tool that exists only for testing purposes. Have fun. Patrick. On 2013-07-18, at 12:19 PM, redpath wrote: > I am testing some simple scenarios for the OSCP server. > I have to stop and start the Server to know I revoked a cert. > Here is my scenario. > > *I start the OSCP server* > > ocsp -index ./demoCA/index.txt -port 8082 -rsigner authocspsign.crt -rkey > ocspsign.key -CA ./demoCA/cacert.pem -text > > > *I check a cert* > openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url > http://127.0.0.1:8082 -CAfile cacert.pem > > *and its GOOD* > > *Then from a terminal I revoke a certificate* > > openssl ca -revoke ./demoCA/newcerts/1009.pem > > Using configuration from /usr/ssl/openssl.cnf > Enter pass phrase for ./demoCA/private/cakey.pem: > Revoking Certificate 1009. > Data Base Updated > > *I check it again* > > openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url > http://127.0.0.1:8082 -CAfile cacert.pem > Response verify OK > 0x1009: good > This Update: Jul 18 16:13:02 2013 GMT > > *Not correct, it is revoked I looked at the index.txt. I stop and start the > OSCP server again* > > *I check again* > > openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url > http://127.0.0.1:8082 -CAfile cacert.pem > Response verify OK > 0x1009: revoked > This Update: Jul 18 16:13:34 2013 GMT > Revocation Time: Jul 18 16:12:18 2013 GMT > > *And results are expected REVOKED.* > *So what is the best practice to get the OSCP server to update?* > > > > > > -- > View this message in context: > http://openssl.6102.n7.nabble.com/OSCP-server-does-not-update-status-tp45877.html > Sent from the OpenSSL - User mailing list archive at Nabble.com. > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org --- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OSCP server does not update status
I am testing some simple scenarios for the OSCP server. I have to stop and start the Server to know I revoked a cert. Here is my scenario. *I start the OSCP server* ocsp -index ./demoCA/index.txt -port 8082 -rsigner authocspsign.crt -rkey ocspsign.key -CA ./demoCA/cacert.pem -text *I check a cert* openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url http://127.0.0.1:8082 -CAfile cacert.pem *and its GOOD* *Then from a terminal I revoke a certificate* openssl ca -revoke ./demoCA/newcerts/1009.pem Using configuration from /usr/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Revoking Certificate 1009. Data Base Updated *I check it again* openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url http://127.0.0.1:8082 -CAfile cacert.pem Response verify OK 0x1009: good This Update: Jul 18 16:13:02 2013 GMT *Not correct, it is revoked I looked at the index.txt. I stop and start the OSCP server again* *I check again* openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url http://127.0.0.1:8082 -CAfile cacert.pem Response verify OK 0x1009: revoked This Update: Jul 18 16:13:34 2013 GMT Revocation Time: Jul 18 16:12:18 2013 GMT *And results are expected REVOKED.* *So what is the best practice to get the OSCP server to update?* -- View this message in context: http://openssl.6102.n7.nabble.com/OSCP-server-does-not-update-status-tp45877.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org