openssl ocsp responder

Hello, I've created a CA using EasyRSA, which is based on openssl. I'm trying to run "openssl ocsp" in server mode. Everything starts just fine and it processes client requests, but no matter what certificate I try to query, the openssl ocsp responder sends "Cert S

RE: openssl ocsp(responder) cmd is giving error for ipv6

> From: perumal v > Sent: Wednesday, 4 November, 2020 02:13 > change is highlighted below and basically keeping [] brackets for ipv6 : > > OCSP_parse_url > p = host; >if (host[0] == '[') { >/* ipv6 literal */ > //host++; >p = strchr(host, ']'); >if (!p) >

Re: openssl ocsp(responder) cmd is giving error for ipv6

al v > > Sent: Monday, 2 November, 2020 07:57 > > > I tried openssl ocsp for ipv6 and got the error message for the OCSP. > > > openssl ocsp -url http://[2001:DB8:64:FF9B:0:0:A0A:285E]:8090/ocsp-100/ > -issuer ... > > Error creating connect BIO > > 1404

RE: openssl ocsp(responder) cmd is giving error for ipv6

> From: openssl-users On Behalf Of perumal v > Sent: Monday, 2 November, 2020 07:57 > I tried openssl ocsp for ipv6 and got the error message for the OCSP. > openssl ocsp -url http://[2001:DB8:64:FF9B:0:0:A0A:285E]:8090/ocsp-100/ > -issuer ... > Error creating connect BIO

openssl ocsp(responder) cmd is giving error for ipv6

HI All, I tried openssl ocsp for ipv6 and got the error message for the OCSP. IPv6 address with the "[]" bracket. ------- openssl ocsp -url http://*[2001:DB8:64:FF9B:0:0:A0A:285E]*:8090/ocsp-100/ -issuer /etc/cert/ipsec/cert0/ca.c

[openssl-users] OpenSSL OCSP and RFC 6960

Hello, All! For certificates generated by "Let's Encrypt Authority X3" for getting ocsp response from letsencrypt I need to use such command: # openssl ocsp -verify_other chain.pem \ -issuer chain.pem \ -cert cert.pem \ -text \

Re: [openssl-users] How can I sstart openssl ocsp in secure mode using TLS/SSL

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Richard Moore > Sent: Tuesday, September 26, 2017 06:31 > To: openssl-users@openssl.org > Subject: Re: [openssl-users] How can I sstart openssl ocsp in secure mode > using TLS/SSL ​​> The CA Se

Re: [openssl-users] How can I sstart openssl ocsp in secure mode using TLS/SSL

On 26/09/2017 14:31, Richard Moore wrote: On 26 September 2017 at 02:36, Kyle Hamilton > wrote: On Fri, Sep 22, 2017 at 9:32 AM, Richard Moore mailto:richmoor...@gmail.com>> wrote: > > It's also worth pointing out that CAs are banned from running

Re: [openssl-users] How can I sstart openssl ocsp in secure mode using TLS/SSL

On 26 September 2017 at 02:36, Kyle Hamilton wrote: > On Fri, Sep 22, 2017 at 9:32 AM, Richard Moore > wrote: > > > > It's also worth pointing out that CAs are banned from running OCSP > servers over HTTPS anyway and it isn't needed since the responses are > already signed - http is fine. > > Th

Re: [openssl-users] How can I sstart openssl ocsp in secure mode using TLS/SSL

On Fri, Sep 22, 2017 at 9:32 AM, Richard Moore wrote: > > It's also worth pointing out that CAs are banned from running OCSP servers > over HTTPS anyway and it isn't needed since the responses are already signed > - http is fine. That argument fails when you consider that some people want the d

Re: [openssl-users] How can I sstart openssl ocsp in secure mode using TLS/SSL

On 22/09/2017 18:32, Richard Moore wrote: On 22 September 2017 at 15:08, Salz, Rich via openssl-users mailto:openssl-users@openssl.org>> wrote: Openssl 0.9.8 is old and obsolete and has security issues; you should upgrade. But even if you upgrade, the ocsp command will not liste

Re: [openssl-users] How can I sstart openssl ocsp in secure mode using TLS/SSL

On 22 September 2017 at 15:08, Salz, Rich via openssl-users < openssl-users@openssl.org> wrote: > Openssl 0.9.8 is old and obsolete and has security issues; you should > upgrade. > > > > But even if you upgrade, the ocsp command will not listen on HTTPS; that > is not supported. > > > ​It's also w

Re: [openssl-users] How can I sstart openssl ocsp in secure mode using TLS/SSL

Openssl 0.9.8 is old and obsolete and has security issues; you should upgrade. But even if you upgrade, the ocsp command will not listen on HTTPS; that is not supported. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] How can I sstart openssl ocsp in secure mode using TLS/SSL

Hi all, I have been trying to test the embed openssl ocsp server in secure mode like: c:\openssl-0.9.8\share>c:\openssl-0.9.8\bin\openssl ocsp -url https://myhost:7575-req_text -resp_text -text -index intermediate\index.txt -CA int ermediate\certs\ca-chain-cert.pem -rkey intermediate\priv

[openssl-users] How can I sstart openssl ocsp in secure mode using TLS/SSL

Hi all, I have been trying to test the embed openssl ocsp server in secure mode like: c:\openssl-0.9.8\share>c:\openssl-0.9.8\bin\openssl ocsp -url https://myhost:7575-req_text -resp_text -text -index intermediate\index.txt -CA int ermediate\certs\ca-chain-cert.pem -rkey intermediate\priv

Re: [openssl-users] Problems with se...rver mode of openssl ocsp

On 09/07/2017 04:13 PM, Dr. Stephen Henson wrote: On Thu, Sep 07, 2017, Robert Moskowitz wrote: Good progress. A few questions: on https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html The sample server test command is: openssl ocsp -port

Re: [openssl-users] Problems with server mode of openssl ocsp

On Thu, Sep 07, 2017, Robert Moskowitz wrote: > Good progress. A few questions: > > on > https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html > > The sample server test command is: > > openssl ocsp -port 127.

[openssl-users] Problems with server mode of openssl ocsp

Good progress. A few questions: on https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html The sample server test command is: openssl ocsp -port 127.0.0.1:2560 -text -sha256 \ -index intermediate/index.txt \ -CA intermediate/certs/ca

Re: OpenSSL OCSP

Hi, Could you please tell me how to do the set up of local ocsp responder as you did it like http://ocsp_responder:3456.? Its really urgent and time is less. -- View this message in context: http://openssl.6102.n7.nabble.com/OpenSSL-OCSP-tp15350p46874.html Sent from the OpenSSL - User

openSSL OCSP utility not sending OCSP Response when connect call is non-blocking.

Hi, I am using openSSL OCSP utility as server. Whenever I do a blocking TCP connect to establish TCP connection with openSSL OCSP utility and then send OCSP request , openSSL OCSP utility sending a OCSP response. But when I do a non blocking TCP connect make sure that OCSP request is written

Re: OpenSSL OCSP Responder used in a CGI Skript - I found the bug

Salz, Rich wrote: neither >/dev/null nor 2>&1 >file nor 2>&1 >/dev/null, let this line "disappear" Redirections happen left-to-right. So do this: >/dev/null 2>&1 left-to-right? outer-to-inner, I understand; Or the simpler 2>/dev/nul ok Thanks, Walter

Re: OpenSSL OCSP Responder used in a CGI Skript - I found the bug

Dr. Stephen Henson wrote: On Wed, Dec 12, 2012, Walter H. wrote: Hello, when using openssl ocsp ... in a CGI skript, you must use -noverify because without, this creates the line Response verify OK neither >/dev/null nor 2>&1 >file nor 2>&1 >/dev/null, let th

RE: OpenSSL OCSP Responder used in a CGI Skript - I found the bug

> neither >/dev/null nor 2>&1 >file nor 2>&1 >/dev/null, let this line > "disappear" Redirections happen left-to-right. So do this: >/dev/null 2>&1 Or the simpler 2>/dev/null -- Principal Security Engineer Akamai Technology Cambridge, MA ___

Re: OpenSSL OCSP Responder used in a CGI Skript - I found the bug

On Wed, Dec 12, 2012, Walter H. wrote: > Hello, > > when using > > openssl ocsp ... > > in a CGI skript, you must use -noverify > because without, this creates the line > > Response verify OK > > neither >/dev/null nor 2>&1 >file nor 2>&am

OpenSSL OCSP Responder used in a CGI Skript - I found the bug

Hello, when using openssl ocsp ... in a CGI skript, you must use -noverify because without, this creates the line Response verify OK neither >/dev/null nor 2>&1 >file nor 2>&1 >/dev/null, let this line "disappear" so this shoots either a 500 page or

Re: OpenSSL OCSP Responder used in a CGI Skript

csprsp.key ) > > a chained certificate: chained.pem > that is created like this:( cat sub1CA.pem; cat sub2CA.pem; cat > rootCA.pem ) >chained.pem > > inside the CGI skript - bash - I call OpenSSL like this: > > openssl ocsp -index index.txt -CAfile rootCA.pem

OpenSSL OCSP Responder used in a CGI Skript

rootCA.pem ) >chained.pem inside the CGI skript - bash - I call OpenSSL like this: openssl ocsp -index index.txt -CAfile rootCA.pem -CA chained.pem -rsigner ocsprsp.pem -rkey ocsprsp.key -nmin 5 -reqin ocspreq.in -respout ocspresp.out 2>&1 >>./output.log is this correct? do I have

Re: [openssl-users] OpenSSL OCSP

Le 16/08/2012 18:38, adrien pisarz a écrit : Ps: does anyone know why the engine option is not available with ocsp and the private key must be in a file instead of store securely in a HSM ? As said by Dr Henson, this is only a testing tool, not a production service. If you need a production-gr

RE: [openssl-users] OpenSSL OCSP

-users@openssl.org CC: apis...@hotmail.com Date: Tue, 14 Aug 2012 11:29:53 -0700 Subject: RE: [openssl-users] OpenSSL OCSP Hi Adrien, Just out of curiosity, what version of OpenSSL are you using? I can get OCSP to work with version 0.9.8, but not 1.0 or later and I’m looking to see if anyone

RE: [openssl-users] OpenSSL OCSP

-openssl-us...@openssl.org] On Behalf Of Erwann Abalea Sent: Tuesday, August 14, 2012 10:35 AM To: openssl-users@openssl.org Cc: adrien pisarz Subject: Re: [openssl-users] OpenSSL OCSP Bonjour, Answers inline. -- Erwann ABALEA Le 14/08/2012 19:03, adrien pisarz a écrit : Hi, I have

Re: [openssl-users] OpenSSL OCSP

On Tue, Aug 14, 2012, adrien pisarz wrote: > > > For information, the index file is written by parsing a CRL file but I > don't want to write into this file all the valid certificates as an > enrolment be done and my index file may not be synchronized. I have an > other question, why the en

RE: [openssl-users] OpenSSL OCSP

tis.com To: openssl-users@openssl.org CC: apis...@hotmail.com Subject: Re: [openssl-users] OpenSSL OCSP Bonjour, Answers inline. -- Erwann ABALEA Le 14/08/2012 19:03, adrien pisarz a écrit : Hi,

Re: [openssl-users] OpenSSL OCSP

here is my ocsp configuration : openssl ocsp -index index_prod.txt -CAfile OpCA.pem -rsigner ocsp.crt -rkey ocsp.key -port 3456 -text -out /home/userocsp/ocsp_responder.log The file index is populated by a self-made script, the ocsp.crt (resp. key) is a certificate (resp. key) which contains

Re: OpenSSL OCSP stapling Vulnerability - (CVE-2010-0014)

On Thu, Feb 17, 2011, Frantz, Stacey M CIV NIOC PCOLA wrote: > > How can I tell if openssl on my server is acting as a server and calling > SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX? This includes Apache > httpd >= 2.3.3, if configured with "SSLUseStapling On". Well it's pretty clear

OpenSSL OCSP stapling Vulnerability - (CVE-2010-0014)

How can I tell if openssl on my server is acting as a server and calling SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX? This includes Apache httpd >= 2.3.3, if configured with "SSLUseStapling On". smime.p7s Description: S/MIME cryptographic signature

Re: openssl ocsp responder unauthorised error

On Tue, Jun 08, 2010, Arunkumar Manickam wrote: > > When will an ocsp responder respond with "unauthorized error" for a ocsp > request. It is an windows server 2008 machine. > Well when, for some reason, the rsponder doesn't like the requestor. This could be, for example, because it is expectin

openssl ocsp responder unauthorised error

Hi, When will an ocsp responder respond with "unauthorized error" for a ocsp request. It is an windows server 2008 machine. Thanks, Arun

OpenSSL OCSP error

Dear Openssl developer, At the moment i have some problems with the OCSP function. I'm getting a Error querying OCSP responsder Error message: C:\OpenSSL\bin>OpenSSL ocsp -url http://ocsp.openvalidation.org -issuer RootCAce rt.pem -VAfile OCSPServer.pem -cert User.pem Error query

Re: How to get the openssl ocsp to send OCSP requests to the responder list in contained in the certifcate Authority Information Access?

ECTED]> wrote: > > On Mon, Oct 29, 2007, Bruce Keats wrote: > > > Hi, > > > > I have been trying for a couple of days now to test an OCSP responder, > but I > > am having problems getting the openssl OCSP client to send the OCSP > requests > > to the

Re: How to get the openssl ocsp to send OCSP requests to the responder list in contained in the certifcate Authority Information Access?

On Mon, Oct 29, 2007, Bruce Keats wrote: > Hi, > > I have been trying for a couple of days now to test an OCSP responder, but I > am having problems getting the openssl OCSP client to send the OCSP requests > to the OCSP responder listed in the certificate's AIA. If I use th

Re: Openssl ocsp

\OpenSSL\bin>openssl ocsp -issuer c:\Programme\OpenSSL\bin\certs\cert.pem -serial 1123 -url http://161.90.190.254:2560 -verify_other c:\Programme\OpenSSL\bin\certs\ocsp.pem -trust_other Response Verify Failure 2492:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not

Openssl ocsp

Hi all, I try to ask an ocsp responder for the status of some certificates using openssl as ocsp client. Doing that the client produces the following Messages: --- C:\Programme\OpenSSL\bin>openssl o

How to add extensions to OCSP requests via openssl ocsp?

OCSP request with the Acceptable Response Format extension I don't see any way to do this via the openssl ocsp utility? Any ideas how any of these test cases might be accomplished? Thanks, Craig __ OpenS

Re: openssl ocsp request , serial number

In message <[EMAIL PROTECTED]> on Wed, 6 Jul 2005 09:07:23 -0700, "Choudhary, Bimalendu" <[EMAIL PROTECTED]> said: bchoudhary> 2) When I send the serial number 0x81 the der encoded bchoudhary>serial number is bchoudhary> bchoudhary> 02 02 00 81 bchoudhary> bchoudhary> 4) When I send the ser

openssl ocsp request , serial number

Hi, I am using an OCSP command to sned ocsp request to my program using following command Openssl ocsp -serial 0x80 -issuer issuer.pem -text -url http://myprogram When I see the actual DER encoded request which openssl sends, I found different behaviour for different serial numbers. 1

Re: Problem with openssl ocsp utility!!!

have isuued one user cert and place it on a pem file say > user.pem and CA cert on another file say IssuerCA.pem. > > I executed following set of commands - > > 1. openssl ocsp -issuer IssuerCA.pem -cert user.pem -reqout req.der > > 2. openssl ocsp -issuer IssuerCA.p

Re: Problem with openssl ocsp utility!!!

and CA cert on another file say IssuerCA.pem.   I executed following set of commands -   1.  openssl ocsp -issuer IssuerCA.pem -cert user.pem -reqout req.der   2. openssl ocsp -issuer IssuerCA.pem -cert user.pem -url http://:/ocsp -resp_text -respout resp.der   3. openssl ocsp -issuer IssuerCA.pem

Problem with openssl ocsp utility!!!

Hi! I am trying to use ocsp client utility of openssl. I have installed CMS software on Solaris box and installed openssl on another box. After that I want to check the status of a user certificate. To do that, I generate one response file using ocsp utility. The status returned by the OCSP respon

Re: OpenSSL OCSP interaction

On Tue, Aug 05, 2003, Werner Johansson wrote: > > > Is the OCSP components of the OpenSSL library considered "stable" in the > sense that the API has settled, or are there major changes planned?? > Yes pretty stable. If changes are made the older functions will be retained for compatibility.

Re: OpenSSL OCSP interaction

On Mon, Aug 04, 2003, Werner Johansson wrote: > Thanks for the input! > > I see now how some of the options to the ocsp command would make sense > (as it's being used as a test tool). > What I was experimenting with here was the possibility to create a small > module for Apache that could make an

RE: OpenSSL OCSP interaction

CA, right?? Regarding Mozilla I'll take a look at how they handle the OCSP-checking. /Werner -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: den 4 augusti 2003 14:47 To: [EMAIL PROTECTED] Subject: Re: OpenSSL OCSP interaction Respon

Re: OpenSSL OCSP interaction

Responses inline. On Mon, Aug 04, 2003, Werner Johansson wrote: > Hi list! > > (Tried posting this a few days back, but it got lost in the process, > trying again...) > > I have been experimenting with the OCSP "client" in OpenSSL, using a > command line like

OpenSSL OCSP interaction

Hi list! (Tried posting this a few days back, but it got lost in the process, trying again...) I have been experimenting with the OCSP "client" in OpenSSL, using a command line like this: openssl ocsp -issuer level3ca.cer -cert enduser1.cer -url http://ocsp-test -CAfile cafile.pe

Re: Is anyone using openssl ocsp client?

No, but I'm about to for a large project I'm working on... Will keep the group informed. I will be using the programmatic APIs rather than the command line. Hope it's better documented than the other openssl APIs :-) Bob Kupperstein wrote: > I'm interested in feedback about reliability, inter

Is anyone using openssl ocsp client?

I'm interested in feedback about reliability, interoperability and response times with different responders. Thanks, -Bob __ OpenSSL Project http://www.openssl.org User Support Mailing List

OPENSSL OCSP

HI list, I have built the lastest version of openssl to try to use it with ocsp, but this functionnality does not work, here is the message I got: "[bash@dev /bash]# openssl ocsp openssl:Error: 'ocsp' is an invalid command." how-to do ? Regards -- Profitez

OpenSSL ocsp and SmartTrust Servant OCSP

Title: A-Trust Hi All,   I am trying to use the OpenSSL command ocsp together with SmartTrust Servant OCSP 4.0 and consistently get 'internalerror (2)' when trying to verify the status of a certificate.   Does anyone have experience with SmartTrust OCSP and OpenSSL ?   Best regards Franz Bran