On 2009.05.21 at 11:34:12 +0200, Marc Rios Valles wrote: > I'm running the server as is indicated in the openssl web page: > > openssl ocsp -index index_file.txt -CA ca-cert.pem -rsigner rsigner_cert > -rkey rsigner_key -port 8888 -text -out log.txt > > If I send an ocsp petition to the server the server answers correct the > response to the client.
If I would need to run OCSP server and have no time to write custom server based on OpenSSL OCSP API, I would do following: 1. Install usial http server (i.e. apache). 2. Write CGI script which would run openssl ocsp with option -reqin - i.e do not listen on the port itself, but get request in the file or from stdin 3. may be do some verification of request format in the script before passing it to openssl ocsp (i.e. parse ASN.1 structure using some scripting language which isn't vulnerable to buffer overflows) Thus I would have much more robust http server code, and I make sure that only sanitized input would be passed to openssl ocsp which has access to response signing keys. As side effect, fresh copy of openssl ocsp would be run each time request is processed, so index file would be reread. To run fresh copy each time request is processed, might be not desirable if you have heavy-loaded OCSP server (although you'll notice slowdown only if you have several requests per second, even if you index.txt contain thousands of lines). Another setup is also possible - write CA script which is invoked each time you create or revoke certificate (and actually calls openssl ca with appropriate parameters) which restarts ocsp server process. But I'm affraid that this setup is less scalable than setup described above. Of course several processes reading index.txt each time would eat up more CPU time, but they would process request in parallel. And openssl ocsp in server mode processes requests sequentually, and thus can serve them more slowly than CGI solution, especially on multicore system. > > apps/ocsp.c:707 if (ridx_filename && !rdb) > > if rdb is not null the index will never be read, so the server only > consults one time the index file in all execution. It's this a desired > feature? I will correct this line for: > > apps/ocsp.c:707 if (ridx_filename) Better to store file modification time when file is read, and than reread file if its modification time is changed. Then you'll need only one stat syscall if file is not modified since previous read. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
