question about trsut root CA, ocsp responder cert, requester singer cert, and issuer cert

I know that we need * ocsp responder cert for verifying the signature of ocsp response, * CA issuer cert to generate CERTID for ocsp request and * ocsp requestor can choose to sign ocsp request using a signer certificate. But instead of having users set that as 3 different settings, I am

openssl ocsp responder

Hello, I've created a CA using EasyRSA, which is based on openssl. I'm trying to run "openssl ocsp" in server mode. Everything starts just fine and it processes client requests, but no matter what certificate I try to query, the openssl ocsp responder sends "Cert S

OCSP Responder app

OCSP responder app is trying to read OCSP_RESPONSE instead of OCSP_REQUEST in do_responder function. Created https://github.com/openssl/openssl/issues/13904 Thanks, Thulasi.

Re: How to make ocsp responder busy

On 2020-11-09 09:58, Venkata Mallikarjunarao Kosuri via openssl-users wrote: Hi We are trying to work scenario to openssl OCSP responder busy, but we are not sure how to make OCSP responder busy could please throw some pointer to work on. Ref https://www.openssl.org/docs/man1.0.2/man1

How to make ocsp responder busy

Hi We are trying to work scenario to openssl OCSP responder busy, but we are not sure how to make OCSP responder busy could please throw some pointer to work on. Ref https://www.openssl.org/docs/man1.0.2/man1/ocsp.html Thanks Malli

RE: openssl ocsp(responder) cmd is giving error for ipv6

> From: perumal v > Sent: Wednesday, 4 November, 2020 02:13 > change is highlighted below and basically keeping [] brackets for ipv6 : > > OCSP_parse_url > p = host; >if (host[0] == '[') { >/* ipv6 literal */ > //host++; >p = strchr(host, ']'); >if (!p) >

Re: openssl ocsp(responder) cmd is giving error for ipv6

HI, it started working after modification in OCSP_parse_url change is *highlighted* below and basically keeping [] brackets for ipv6 : OCSP_parse_url p = host; if (host[0] == '[') { /* ipv6 literal */ *//host++; * p = strchr(host, ']'); if (!

RE: openssl ocsp(responder) cmd is giving error for ipv6

> From: openssl-users On Behalf Of perumal v > Sent: Monday, 2 November, 2020 07:57 > I tried openssl ocsp for ipv6 and got the error message for the OCSP. > openssl ocsp -url http://[2001:DB8:64:FF9B:0:0:A0A:285E]:8090/ocsp-100/ > -issuer ... > Error creating connect BIO > 140416130504448:erro

openssl ocsp(responder) cmd is giving error for ipv6

uot;[]" bracket. -- openssl ocsp -url http://*2001:DB8:64:FF9B:0:0:A0A:285E*:8090/ocsp-100/ -issuer /etc/cert/ipsec/cert0/ca.crt -CAfile /etc/cert/ipsec/cert0/ca.crt -cert /etc/cert/ipsec/cert0/cert.crt *Error connecting BIOError querying OCSP responder* i am using openssl version : *openssl vers

[openssl-users] Help with OpenSSL's OCSP responder serving pre-produced responses

Hi, Can anyone tell me how to serve pre-produced responses with OpenSSL's OCSP responder? My current understanding is that what I'm doing should work, but it doesn't. The pre-produced response correctly prints to stdout...but it doesn't actually go back to the client (instead

Re: [openssl-users] OCSP Responder Running on Localhost using the Source Code..!

The code for the command "openssl xyz" is usually in the source file apps/xyz.c . So the example OCSP responder is probably in the file apps/ocsp.c . On 04/04/2017 09:04, RajatRokade wrote: Hi.. I want to create an OCSP responder running on my local machine to avoid the requirement o

[openssl-users] OCSP Responder Running on Localhost using the Source Code..!

Hi.. I want to create an OCSP responder running on my local machine to avoid the requirement of internet connection.I tired using the command line approach to set up a new CA,build database,run the responder on the localhost and finally query the OCSP responder. I was able to query the server and

Re: [openssl-users] Behaviour facing a broken OCSP responder

> Are these the only three error codes ? Nope. It's not standardized at all sadly ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Behaviour facing a broken OCSP responder

> From: "Salz, Rich" > Date: 09/14/15 16:07 > Are you talking about the command-line? Yes. > It would be great if someone sent in a patch that standardized > and documented exit codes, like 0 for got a "good" > response, "1" for got a "bad" response, and 10 for got an > unparseable response

Re: [openssl-users] Behaviour facing a broken OCSP responder

> The documentation does not seem too clear about what the behaviour > exactly is when OpenSSL deals with a broken OCSP responder.  For instance, > one that would send an OK without any contents.  We call openssl from an > application and would like to know what is returned in such a

[openssl-users] Behaviour facing a broken OCSP responder

Hello, The documentation does not seem too clear about what the behaviour exactly is when OpenSSL deals with a broken OCSP responder.  For instance, one that would send an OK without any contents.  We call openssl from an application and would like to know what is returned in such a case, or

Information Regarding Commercially available OCSP Responder.

Hi, I am using openssl OCSP utility as OCSP Responder in linux platform. Currently as soon as the code which I am using as OCSP Requester gets OCSP Response it sends the FIN and openssl OCSP Responder also generates the FIN request to clear the connection as soon as it sends the OCSP Response

Re: OCSP responder www.openca.org

.6102.n7.nabble.com/OCSP-responder-www-openca-org-tp45981p45989.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing

Re: OCSP responder www.openca.org

Hi, when I was looking for an OCSP responder in January I also found OpenCA.org and I also think it is dead. If you want to use it, read the mailing list. Someone posted important patches (against memory leaks and other things). Another thing is, that I am not sure if an OCSP responder, which

OCSP responder www.openca.org

I came across http://www.openca.org for a open source OCSP responder. Anyone know anything about this, It seems abandoned? I would like a standalone OCSP responder to keep things simple and a well documented way to provide a CRL list for the OCSP responder to work with. The source code seems to

RE: Connection getting terminated after OCSP Resonse is send my OCSP Responder.

> From: owner-openssl-us...@openssl.org On Behalf Of deepak.kathuria > Sent: Monday, 15 July, 2013 23:31 > I am using openssl OCSP utility as OCSP Responder in linux > platform. Once > OCSP Responder receives OCSP Request it will send OCSP Response and > terminate the TCP con

Connection getting terminated after OCSP Resonse is send my OCSP Responder.

Hi, I am using openssl OCSP utility as OCSP Responder in linux platform. Once OCSP Responder receives OCSP Request it will send OCSP Response and terminate the TCP connection by sending FIN for TCP Connection. Why OCSP responder trying to close the connection? Is there any way by whcih OCSP

Connection getting terminated after OCSP Resonse is send my OCSP Responder.

Hi, I am using openssl OCSP utility as OCSP Responder in linux platform. Once OCSP Responder receives OCSP Request it will send OCSP Response and terminate the TCP connection by sending FIN for TCP Connection. Why OCSP responder trying to close the connection? Is there any way by whcih OCSP

Re: OpenSSL OCSP Responder used in a CGI Skript - I found the bug

Salz, Rich wrote: neither >/dev/null nor 2>&1 >file nor 2>&1 >/dev/null, let this line "disappear" Redirections happen left-to-right. So do this: >/dev/null 2>&1 left-to-right? outer-to-inner, I understand; Or the simpler 2>/dev/nul ok Thanks, Walter

Re: OpenSSL OCSP Responder used in a CGI Skript - I found the bug

Dr. Stephen Henson wrote: On Wed, Dec 12, 2012, Walter H. wrote: Hello, when using openssl ocsp ... in a CGI skript, you must use -noverify because without, this creates the line Response verify OK neither >/dev/null nor 2>&1 >file nor 2>&1 >/dev/null, let this line "disappear" so this

RE: OpenSSL OCSP Responder used in a CGI Skript - I found the bug

> neither >/dev/null nor 2>&1 >file nor 2>&1 >/dev/null, let this line > "disappear" Redirections happen left-to-right. So do this: >/dev/null 2>&1 Or the simpler 2>/dev/null -- Principal Security Engineer Akamai Technology Cambridge, MA ___

Re: OpenSSL OCSP Responder used in a CGI Skript - I found the bug

On Wed, Dec 12, 2012, Walter H. wrote: > Hello, > > when using > > openssl ocsp ... > > in a CGI skript, you must use -noverify > because without, this creates the line > > Response verify OK > > neither >/dev/null nor 2>&1 >file nor 2>&1 >/dev/null, let this line > "disappear" > > so this s

OpenSSL OCSP Responder used in a CGI Skript - I found the bug

Hello, when using openssl ocsp ... in a CGI skript, you must use -noverify because without, this creates the line Response verify OK neither >/dev/null nor 2>&1 >file nor 2>&1 >/dev/null, let this line "disappear" so this shoots either a 500 page or an invalid OCSP response is sent, which

Re: OpenSSL OCSP Responder used in a CGI Skript

ot CA I signed also a certificate, with the purpose of > signing OCSP Responder; using parameter -addtrust OCSPSigning > when calling openssl x509 and also with 'extendedKeyUsage = > OCSPSigning' in my openssl.cnf; > > so I have the following files > > the CA database:

OpenSSL OCSP Responder used in a CGI Skript

Hello, I have created a self signed root CA certificate, and two other CA certificate, that I signed with this self signed root certificate; and these SubCA certificates are used for signing requests; with the root CA I signed also a certificate, with the purpose of signing OCSP Responder

Re: OCSP Responder

much more sensible setup (in most cases) would be to invoke the openssl ocsp responder as a backend to a real HTTP(S) server such as Apache, when the request specifies the relevant URL, while other URLs could return "normal" content such as CRLs, CA certs, policies, introductory front p

RE: OCSP Responder

urope.de to master.openssl.org by 14:21 +1, then X-Greylist: delayed 1016 seconds (about 17min), but no relay until Nov 30 15:19 +1, which my mailhost got 3min later. > I use Ubuntu 12.04 64bit server [with] openssl 1.0.1-4ubuntu5.5 ... > Now I want to use the ocsp responder for testing. > I start in te

OCSP Responder

Hi, Hello, i have a question. I use Ubuntu 12.04 64bit server. The openssl version is 1.0.1-4ubuntu5.5 On the same server is installed apache2 with ssl support. Everything works well. Now I want to use the ocsp responder for testing. I start in terminal 1: >openssl ocsp -index /etc/

non-interactive password for ocsp responder

How can the ocsp responder be run non-interactively (e.g., run from a script so that the person running the script does not have to type in the OCSP signing key password)? (Yes, I know that that generally isn't secure, but in this case it doesn't need to be. (It's for an exa

Re: OCSP responder bug?

0.0.0.0:-> 0.0.0.0: 127.0.0.1: -> 127.0.0.1: ::: -> ::: ::1:-> ::1: Currently it's not documented that you can use the IP address in the port string. So the best thing to do with the current stable version is to use the port string "

OCSP responder bug?

Hello, I have been developing an application using OpenSSL that needs an OCSP responder, and for testing I use the following command to create the responder: openssl ocsp -index ./CA/index.txt -port -rsigner ./CA_resp/certs/responder.pem -rkey ./CA_resp/private/server.key -CA ./CA/ca.pem

openssl 1.0.0.a OCSP responder problem

Hi, Is there a way to make the version 1.0.0a ocsp responder to sign responses using SHA256? The rsigner certificate is SHA256 and the requests are signed with SHA256 but responses are always SHA1. I saw a reference in a thread from 5/13/10 to "draft-ietf-pkix-ocspagility" tha

Re: openssl ocsp responder unauthorised error

On Tue, Jun 08, 2010, Arunkumar Manickam wrote: > > When will an ocsp responder respond with "unauthorized error" for a ocsp > request. It is an windows server 2008 machine. > Well when, for some reason, the rsponder doesn't like the requestor. This could be,

openssl ocsp responder unauthorised error

Hi, When will an ocsp responder respond with "unauthorized error" for a ocsp request. It is an windows server 2008 machine. Thanks, Arun

Re: ocsp responder certificate generation documentation( reg)

ave to watch out for revocation/ocsp checks on the ocsp responder cert - that's where the "nocheck" extension comes in. You can tune your responder for performance/cert maintenance by choosing between these methods. I just use a self signed trusted ocsp cert because that was ea

Re: ocsp responder certificate generation documentation( reg)

howto make the OCSP certificate. This is the section I added to my openssl.cnf file. [ ocsp_cert ] # These extensions are added when 'ca' signs a request for an OCSP responder. basicConstraints=CA:FALSE extendedKeyUsage= OCSP Signing noCheck = yes ... Then as my other post

OCSP responder ID in OCSP response ( name or key hash )

(B (B (BHi,all (B  (BI would like to test my OCSP client. (BI noticed that when getting a response, the responder ID in the OCSP (Bresponse can be presented by name or key hash. (BIf I use OpenSSL as the responder , can the OpenSSL provides the response (Bwith the responder ID in Key ha

revoking the OCSP responder certificate

Hi everyone, I just revoked the OCSP responder certificate as you can see: file index.txt -- R 040530223109Z 030605151409Z 03 unknown /C=ES/ST=Andalusia/L=Seville/O=Mazinger Z inc./OU=pepe/CN=OCSP responder prueba 2/emailAddress=ocsp - end of index.txt

Re: OCSP Responder

In message <[EMAIL PROTECTED]> on Tue, 16 Apr 2002 00:58:16 +0200, Averroes <[EMAIL PROTECTED]> said: averroes> My question is, the OCSP Responder act as a deaom since it listen on averroes> port and wait for requests. Does openssl OCSP Responder mature averroes&

OCSP Responder

Hi All, Here is what i got by running openssl as OCSP responder: othe:~# netstat -tuan Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:0.0.0.0:* LISTEN After

Re: free OCSP-responder

Hello Andre, You can also use www.openvalidation.org. It offer a nice OCSP Responder for test issue. In fact the product behind is from Sytrust. Sylvain Sylvain Maret Senior Security

Re: free OCSP-responder

> within my diploma thesis I work with OCSP. I would like to test some >client software (Netscape and Baltimore Mailsecure) supporting OCSP with >some OCSP-Responder. As the ValiCert OCSP-Responder is not > as cheap as I like it, I´d like to aks you if you know some free >