> My webserver is getting flooded with queries like:
>
> ocsp.omniroot.com 124.205.254.7 - - [30/Apr/2015:19:24:30 +0200] "GET
> /baltimoreroot/MEowSKADAgEAMEEwPzA9MAkGBSsOAwIaBQAEFMEvRXbt
> FVnssF26ib%2BdgHjlI9QTBBTlnVkwgkdYzKz6CFQ2hns6tQRN8AIEByekag%3D
> %3D
> HTTP/1.1" 301 184 "-" "ocspd/1.0.3"
Well, that stinks.
url-decoding (%2b is + and %3d is =), and then base64 decoding it can give you
the OCSP request:
; ./openssl ocsp -text -reqin x.der
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: C12F4576ED1559ECB05DBA89BF9D8078E523D413
Issuer Key Hash: E59D5930824758CCACFA085436867B3AB5044DF0
Serial Number: 0727A46A
> Is it possible to say what "Common name / fqdn / certificate" is queried in
> such requests?
Not really. The protocol assumes that the requestor has the cert, and the
server has the serial#, so the protocol sends the minimal information.
Sorry.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
