On Tue, Oct 20, 2009, Daniel Marschall wrote: > Hello. > > I am trying to set up an ocsp server. > > I have following line: > > openssl ocsp -index codesign_intermediate/index.txt -url > http://www.myhost.com:8888/codesign/ -rsigner root_ca/certs/cacert.crt > -rkey root_ca/private/privkey.pem -CA root_ca/certs/cacert.crt -text > -out codesign_intermediate/ocsp.txt > > When I start the bash script, I get following line: > > Waiting for OCSP client connections... > > Ok, then I tried to open the ocsp connection (to test if it's > answering) using web-sniffer.net. A HTTP-200 response with 5 bytes > arrive. (Of course, this isn't a valid ocsp request). > > Anyway, OpenSSL crashed now and says: > > Invalid request > > The OCSP-Daemon is stopped! (A second request isn't possible!) > > I tried to start the daemon again, but now I get > > 18758:error:02006062:system library:bind:Address already in > use:b_sock.c:685:port='8888' > 18758:error:20069075:BIO routines:BIO_get_accept_socket:unable to bind > socket:b_sock.c:687: > > I cannot use this port a second time. > > My questions are: > > 1) What am I doing wrong? Why is the daemon terminating just because > of this "request"?
If you don't want it to exist on errors then -ignore_err will do the trick. Your main problem is expecting the OCSP test application to work as a proper responder. It isn't designed for that and will give awful performance. It is rather better if used as a CGI script from a webserver. > 2) Why is the port 8888 blocked now? How can I undo it? Wait a while, this is fairly standard behaviour on some OSes. > 3) How do I have to process when I have a Root-CA and a > Intermediate-CA and both should use OCSP? Should both get different > ports? A more sophisticated responder could switch to an appropriate CA based on the actual requests. That simple test application has a fixed responder certificate. > 4) How can I add the OCSP URL to the root and intermediate > certificates (I use the subprograms req + ca) > http://www.openssl.org/docs/apps/x509v3_config.html#Authority_Info_Access_ Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
