Hello Steve.
Dr. Stephen Henson schrieb:
On Tue, Oct 20, 2009, Daniel Marschall wrote:
Hello.
I am trying to set up an ocsp server.
I have following line:
openssl ocsp -index codesign_intermediate/index.txt -url
http://www.myhost.com:8888/codesign/ -rsigner root_ca/certs/cacert.crt
-rkey root_ca/private/privkey.pem -CA root_ca/certs/cacert.crt -text
-out codesign_intermediate/ocsp.txt
When I start the bash script, I get following line:
Waiting for OCSP client connections...
Ok, then I tried to open the ocsp connection (to test if it's
answering) using web-sniffer.net. A HTTP-200 response with 5 bytes
arrive. (Of course, this isn't a valid ocsp request).
Anyway, OpenSSL crashed now and says:
Invalid request
The OCSP-Daemon is stopped! (A second request isn't possible!)
I tried to start the daemon again, but now I get
18758:error:02006062:system library:bind:Address already in
use:b_sock.c:685:port='8888'
18758:error:20069075:BIO routines:BIO_get_accept_socket:unable to bind
socket:b_sock.c:687:
I cannot use this port a second time.
My questions are:
1) What am I doing wrong? Why is the daemon terminating just because
of this "request"?
If you don't want it to exist on errors then -ignore_err will do the trick.
Thank you very much. It works.
Your main problem is expecting the OCSP test application to work as a proper
responder. It isn't designed for that and will give awful performance.
I am trying to make a very small CA with full features. I only want to
manage the certificates of 5 developers, so I don't mind performance or
frontend features. This CA I'm planning should work at Debian
Etch-n-Half without any enforced/unstable packages (so I don't want to
compile+install e.g. a "better" solution like OpenCA or OpenXPKI).
It is
rather better if used as a CGI script from a webserver.
Do you know a finished solution of a CGI script (prefer PHP) which will
do the OCSP parsing for me or do I have to write it completely by my own?
2) Why is the port 8888 blocked now? How can I undo it?
Wait a while, this is fairly standard behaviour on some OSes.
Ok, now it works again.
3) How do I have to process when I have a Root-CA and a
Intermediate-CA and both should use OCSP? Should both get different
ports?
A more sophisticated responder could switch to an appropriate CA based on the
actual requests. That simple test application has a fixed responder certificate.
So, would it be better if I make 2 ports for my 2 CAs? e.g. 8888 =
root-ca and 8889 = intermediate-ca?
(Mh... it would be more nice if there would be something like
http://www.example.com/ocsp/root/ and
http://www.example.com/ocsp/intermediate/, but then 2 ocsp servers plus
Apache would use port 80 at the same time...)
4) How can I add the OCSP URL to the root and intermediate
certificates (I use the subprograms req + ca)
http://www.openssl.org/docs/apps/x509v3_config.html#Authority_Info_Access_
Thank you.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
