> From: owner-openssl-us...@openssl.org On Behalf Of deepak.kathuria > Sent: Monday, 15 July, 2013 23:31
> I am using openssl OCSP utility as OCSP Responder in linux > platform. Once > OCSP Responder receives OCSP Request it will send OCSP Response and > terminate the TCP connection by sending FIN for TCP > Connection. Why OCSP > responder trying to close the connection? Is there any way by > whcih OCSP > Responder is configured to retain the connection. > > OCSP Request packet has Connection filed as Keep-Alive in > HTTP header while > response packet from OCSP Responder does not have any > Connection filed in > HTTP header (OCSP Response is generated by OCSP Responder > using openssl ocsp > utility). Is there Any way to set Connection filed as > Keep-Alive in HTTP > header in OCSP Responder message? > No, commandline ocsp 'server' clearly expects to receive and respond to one request per connection, although (like most internet servers) it will accept a series of connections. Note that the response version is hardcoded as HTTP/1.0. The 1.0 standard specifies one request per connection, and allows (but discourages) using transport close (FIN) to delimit the response body instead of content-length. It does not have the Connection header or any keep-alive logic, although those were fairly common extensions to 1.0 before 1.1 became standard. Since the code does in fact send content-length, and already loops for multiple connections, it shouldn't be hard to change it to loop for multiple requests on a connection (and then multiple connections, probably) although in a semi-realistic environment with multiple requesters this would allow one to starve the others unless you dedicate a responder to each requester. Changing to handle multiple requests per connection and multiple connections in one process would require threading which is more work and not portable across the systems openssl supports, or managing a pool of nonblocking sockets/BIOs is which quite a bit more work. It might be easier to write your own responder using bits and pieces of ocsp.c that works as you want. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
