[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-users
Subject:    RE: OCSP Responder
From:       "Dave Thompson" <dthompson () prinpay ! com>
Date:       2012-11-30 21:32:14
Message-ID: 7C82FC1B9C8E4FF594DC510A54DCADA5 () prinpay ! com
[Download RAW message or body]

> From: owner-openssl-users@openssl.org On Behalf Of Rainer Rill
> Sent: Sunday, 25 November, 2012 08:04 [in zone -5]

I don't know what happened to this post. Headers (as resent) 
show originator stamp Nov 25 14:04 +1 and initial transmission 
.superkabel.de to .hosteurope.de to master.openssl.org by 
14:21 +1, then X-Greylist: delayed 1016 seconds (about 17min), 
but no relay until Nov 30 15:19 +1, which my mailhost got 3min later.

> I use Ubuntu 12.04 64bit server [with] openssl 1.0.1-4ubuntu5.5 ...

> Now I want to use the ocsp responder for testing.
> I start in terminal 1:
> >openssl ocsp -index /etc/ssl/index.txt -CA 
> /etc/ssl/private/ca.crt -rkey /etc/ssl/private/ca.key -port 
> 443 -nmin 10
> > Waiting for OCSP client connections...
> 
> Then in another terminal:
> >openssl s_client -connect localhost:443
> 
> The result is: <protocol reject>

> It would be great if they have a small hint for me.

Hint: OCSP transport is NOT SSL/TLS. It is HTTP-based.
In principle it can be HTTPS, but normally needn't 
because it is signed and cert data is public anyway, 
and OpenSSL commandline responder only does HTTP 
(and a very minimal HTTP at that).

s_client (and s_server) implements SSL/TLS, not 
full HTTPS and not HTTP at all.

commandline ocsp requester can send (HTTP or HTTPS) to the responder 
and save the response, which you then verify. See the man page.

A real app (including a verify callback to use OCSP for SSL/TLS) 
would need to send the request, verify the response, and then 
actually use the contents of the response (if valid).

Using port 443 for OpenSSL responder which isn't HTTPS 
is misleading. 80 if available would be consistent with 
the protocol, but OpenSSL responder is not a general-purpose 
webserver, so something like 1080 might be better.
The man page example uses 8888.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org
[prev in list] [next in list] [prev in thread] [next in thread]