I know that we need
* ocsp responder cert for verifying the signature of ocsp response,
* CA issuer cert to generate CERTID for ocsp request
and
* ocsp requestor can choose to sign ocsp request using a signer certificate.
But instead of having users set that as 3 different settings, I am
Hello,
I've created a CA using EasyRSA, which is based on openssl. I'm trying to run
"openssl ocsp" in server mode. Everything starts just fine and it processes
client requests, but no matter what certificate I try to query, the openssl
ocsp responder sends "Cert S
OCSP responder app is trying to read OCSP_RESPONSE instead of OCSP_REQUEST
in do_responder function.
Created https://github.com/openssl/openssl/issues/13904
Thanks,
Thulasi.
On 2020-11-09 09:58, Venkata Mallikarjunarao Kosuri via openssl-users wrote:
Hi
We are trying to work scenario to openssl OCSP responder busy, but we
are not sure how to make OCSP responder busy could please throw some
pointer to work on.
Ref https://www.openssl.org/docs/man1.0.2/man1
Hi
We are trying to work scenario to openssl OCSP responder busy, but we are not
sure how to make OCSP responder busy could please throw some pointer to work on.
Ref https://www.openssl.org/docs/man1.0.2/man1/ocsp.html
Thanks
Malli
> From: perumal v
> Sent: Wednesday, 4 November, 2020 02:13
> change is highlighted below and basically keeping [] brackets for ipv6 :
>
> OCSP_parse_url
> p = host;
>if (host[0] == '[') {
>/* ipv6 literal */
> //host++;
>p = strchr(host, ']');
>if (!p)
>
HI,
it started working after modification in OCSP_parse_url
change is *highlighted* below and basically keeping [] brackets
for ipv6 :
OCSP_parse_url
p = host;
if (host[0] == '[') {
/* ipv6 literal */
*//host++; *
p = strchr(host, ']');
if (!
> From: openssl-users On Behalf Of perumal v
> Sent: Monday, 2 November, 2020 07:57
> I tried openssl ocsp for ipv6 and got the error message for the OCSP.
> openssl ocsp -url http://[2001:DB8:64:FF9B:0:0:A0A:285E]:8090/ocsp-100/
> -issuer ...
> Error creating connect BIO
> 140416130504448:erro
uot;[]" bracket.
--
openssl ocsp -url http://*2001:DB8:64:FF9B:0:0:A0A:285E*:8090/ocsp-100/
-issuer /etc/cert/ipsec/cert0/ca.crt -CAfile /etc/cert/ipsec/cert0/ca.crt
-cert /etc/cert/ipsec/cert0/cert.crt
*Error connecting BIOError querying OCSP responder*
i am using openssl version : *openssl vers
Hi,
Can anyone tell me how to serve pre-produced responses with OpenSSL's
OCSP responder? My current understanding is that what I'm doing should
work, but it doesn't. The pre-produced response correctly prints to
stdout...but it doesn't actually go back to the client (instead
The code for the command "openssl xyz" is usually in the source
file apps/xyz.c .
So the example OCSP responder is probably in the file apps/ocsp.c .
On 04/04/2017 09:04, RajatRokade wrote:
Hi..
I want to create an OCSP responder running on my local machine to avoid the
requirement o
Hi..
I want to create an OCSP responder running on my local machine to avoid the
requirement of internet connection.I tired using the command line approach
to set up a new CA,build database,run the responder on the localhost and
finally query the OCSP responder. I was able to query the server and
> Are these the only three error codes ?
Nope. It's not standardized at all sadly
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> From: "Salz, Rich"
> Date: 09/14/15 16:07
> Are you talking about the command-line?
Yes.
> It would be great if someone sent in a patch that standardized
> and documented exit codes, like 0 for got a "good"
> response, "1" for got a "bad" response, and 10 for got an
> unparseable response
> The documentation does not seem too clear about what the behaviour
> exactly is when OpenSSL deals with a broken OCSP responder. For instance,
> one that would send an OK without any contents. We call openssl from an
> application and would like to know what is returned in such a
Hello,
The documentation does not seem too clear about what the behaviour exactly is
when OpenSSL deals with a broken OCSP responder. For instance, one that would
send an OK without any contents. We call openssl from an application and would
like to know what is returned in such a case, or
Hi,
I am using openssl OCSP utility as OCSP Responder in linux platform.
Currently as soon as the code which I am using as OCSP Requester gets OCSP
Response it sends the FIN and openssl OCSP Responder also generates the FIN
request to clear the connection as soon as it sends the OCSP Response
.6102.n7.nabble.com/OCSP-responder-www-openca-org-tp45981p45989.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing
Hi,
when I was looking for an OCSP responder in January I also found
OpenCA.org and I also think it is dead.
If you want to use it, read the mailing list. Someone posted important
patches (against memory leaks and other things).
Another thing is, that I am not sure if an OCSP responder, which
I came across http://www.openca.org
for a open source OCSP responder.
Anyone know anything about this, It seems abandoned?
I would like a standalone OCSP responder to keep things simple
and a well documented way to provide a CRL list for the OCSP responder to
work with.
The source code seems to
> From: owner-openssl-us...@openssl.org On Behalf Of deepak.kathuria
> Sent: Monday, 15 July, 2013 23:31
> I am using openssl OCSP utility as OCSP Responder in linux
> platform. Once
> OCSP Responder receives OCSP Request it will send OCSP Response and
> terminate the TCP con
Hi,
I am using openssl OCSP utility as OCSP Responder in linux platform. Once
OCSP Responder receives OCSP Request it will send OCSP Response and
terminate the TCP connection by sending FIN for TCP Connection. Why OCSP
responder trying to close the connection? Is there any way by whcih OCSP
Hi,
I am using openssl OCSP utility as OCSP Responder in linux platform. Once
OCSP Responder receives OCSP Request it will send OCSP Response and
terminate the TCP connection by sending FIN for TCP Connection. Why OCSP
responder trying to close the connection? Is there any way by whcih OCSP
Salz, Rich wrote:
neither >/dev/null nor 2>&1 >file nor 2>&1 >/dev/null, let this line
"disappear"
Redirections happen left-to-right. So do this:
>/dev/null 2>&1
left-to-right? outer-to-inner, I understand;
Or the simpler
2>/dev/nul
ok
Thanks,
Walter
Dr. Stephen Henson wrote:
On Wed, Dec 12, 2012, Walter H. wrote:
Hello,
when using
openssl ocsp ...
in a CGI skript, you must use -noverify
because without, this creates the line
Response verify OK
neither >/dev/null nor 2>&1 >file nor 2>&1 >/dev/null, let this line
"disappear"
so this
> neither >/dev/null nor 2>&1 >file nor 2>&1 >/dev/null, let this line
> "disappear"
Redirections happen left-to-right. So do this:
>/dev/null 2>&1
Or the simpler
2>/dev/null
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
___
On Wed, Dec 12, 2012, Walter H. wrote:
> Hello,
>
> when using
>
> openssl ocsp ...
>
> in a CGI skript, you must use -noverify
> because without, this creates the line
>
> Response verify OK
>
> neither >/dev/null nor 2>&1 >file nor 2>&1 >/dev/null, let this line
> "disappear"
>
> so this s
Hello,
when using
openssl ocsp ...
in a CGI skript, you must use -noverify
because without, this creates the line
Response verify OK
neither >/dev/null nor 2>&1 >file nor 2>&1 >/dev/null, let this line
"disappear"
so this shoots either a 500 page or an invalid OCSP response is sent,
which
ot CA I signed also a certificate, with the purpose of
> signing OCSP Responder; using parameter -addtrust OCSPSigning
> when calling openssl x509 and also with 'extendedKeyUsage =
> OCSPSigning' in my openssl.cnf;
>
> so I have the following files
>
> the CA database:
Hello,
I have created a self signed root CA certificate, and two other CA
certificate, that I signed with this self signed root certificate;
and these SubCA certificates are used for signing requests;
with the root CA I signed also a certificate, with the purpose of
signing OCSP Responder
much more sensible setup (in most cases) would be to invoke the
openssl ocsp responder as a backend to a real HTTP(S) server such as
Apache, when the request specifies the relevant URL, while other URLs
could return "normal" content such as CRLs, CA certs, policies,
introductory front p
urope.de to master.openssl.org by
14:21 +1, then X-Greylist: delayed 1016 seconds (about 17min),
but no relay until Nov 30 15:19 +1, which my mailhost got 3min later.
> I use Ubuntu 12.04 64bit server [with] openssl 1.0.1-4ubuntu5.5 ...
> Now I want to use the ocsp responder for testing.
> I start in te
Hi,
Hello,
i have a question.
I use Ubuntu 12.04 64bit server.
The openssl version is 1.0.1-4ubuntu5.5
On the same server is installed apache2 with ssl support.
Everything works well.
Now I want to use the ocsp responder for testing.
I start in terminal 1:
>openssl ocsp -index /etc/
How can the ocsp responder be run non-interactively (e.g., run from
a script so that the person running the script does not have to type
in the OCSP signing key password)?
(Yes, I know that that generally isn't secure, but in this case it
doesn't need to be. (It's for an exa
0.0.0.0:-> 0.0.0.0:
127.0.0.1: -> 127.0.0.1:
::: -> :::
::1:-> ::1:
Currently it's not documented that you can use the IP address in the
port string. So the best thing to do with the current stable version is
to use the port string "
Hello,
I have been developing an application using OpenSSL that needs an OCSP
responder, and for testing I use the following command to create the
responder:
openssl ocsp -index ./CA/index.txt -port -rsigner
./CA_resp/certs/responder.pem -rkey ./CA_resp/private/server.key -CA
./CA/ca.pem
Hi,
Is there a way to make the version 1.0.0a ocsp responder to sign
responses using SHA256? The rsigner certificate is SHA256 and the
requests are signed with SHA256 but responses are always SHA1.
I saw a reference in a thread from 5/13/10 to
"draft-ietf-pkix-ocspagility" tha
On Tue, Jun 08, 2010, Arunkumar Manickam wrote:
>
> When will an ocsp responder respond with "unauthorized error" for a ocsp
> request. It is an windows server 2008 machine.
>
Well when, for some reason, the rsponder doesn't like the requestor. This
could be,
Hi,
When will an ocsp responder respond with "unauthorized error" for a ocsp
request. It is an windows server 2008 machine.
Thanks,
Arun
ave to watch out for
revocation/ocsp checks on the ocsp responder cert - that's where the
"nocheck" extension comes in. You can tune your responder for
performance/cert maintenance by choosing between these methods. I just use
a self signed trusted ocsp cert because that was ea
howto make the OCSP certificate.
This is the section I added to my openssl.cnf file.
[ ocsp_cert ]
# These extensions are added when 'ca' signs a request for an OCSP
responder.
basicConstraints=CA:FALSE
extendedKeyUsage= OCSP Signing
noCheck = yes
...
Then as my other post
(B
(B
(BHi,all
(B
(BI would like to test my OCSP client.
(BI noticed that when getting a response, the responder ID in the OCSP
(Bresponse can be presented by name or key hash.
(BIf I use OpenSSL as the responder , can the OpenSSL provides the response
(Bwith the responder ID in Key ha
Hi everyone,
I just revoked the OCSP responder certificate as you can see:
file index.txt --
R 040530223109Z 030605151409Z 03 unknown
/C=ES/ST=Andalusia/L=Seville/O=Mazinger Z inc./OU=pepe/CN=OCSP responder
prueba 2/emailAddress=ocsp
- end of index.txt
In message <[EMAIL PROTECTED]> on Tue, 16 Apr 2002 00:58:16 +0200,
Averroes <[EMAIL PROTECTED]> said:
averroes> My question is, the OCSP Responder act as a deaom since it listen on
averroes> port and wait for requests. Does openssl OCSP Responder mature
averroes&
Hi All,
Here is what i got by running openssl as OCSP responder:
othe:~# netstat -tuan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:0.0.0.0:*
LISTEN
After
Hello Andre,
You can also use www.openvalidation.org. It offer a nice OCSP Responder for test issue. In fact the product behind is from Sytrust.
Sylvain
Sylvain Maret
Senior Security
> within my diploma thesis I work with OCSP. I would like to test some
>client software (Netscape and Baltimore Mailsecure) supporting OCSP with
>some OCSP-Responder. As the ValiCert OCSP-Responder is not
> as cheap as I like it, I´d like to aks you if you know some free
>
47 matches
Mail list logo