Reputation: 1111
How to make openssl ocsp responder busy
I am new to ssl environment, please bear with me.
The information what I know I am putting here.
By reading the different page of openssl OCSP
- https://raymii.org/s/articles/OpenSSL_Manually_Verify_a_certificate_against_an_OCSP.html
- https://akshayranganath.github.io/OCSP-Validation-With-Openssl/
- https://www.openssl.org/docs/man1.0.2/man1/ocsp.html
I started the server successfully for one issuer by understanding from this post https://stackoverflow.com/a/40877330/358458.
Note that one process uses one 'database' file and supports one issuer. If you need more than one issuer, you could run several processes on different ports and/or different addresses on a machine with multiple addresses.
I have two basic questions, please correct me the questions are invalid.
- Is OCSP responder is same for multiple issuers? If so how to make OCSP responder busy?
- If not how to make singe issuer responder busy? using any script or more number of requests to?
Upvotes: 0
Views: 593
Answers (1)
Reputation: 179
I don't understand 'make busy'. If you are looking to perform a denial of service attack, look elsewhere.
It is true that openssl ocsp only supports one issuer per launch, or port in your case. Also, it only supports one request at a time on said port. openssl ocsp is only designed as an example/reference/test responder, not a production OCSP responding server. There are ways around this however;
- Use a different OCSP responder server program (easiest)
- Use the
openssl ocsp -multiargument to launch a threaded OCSP responder that is capable of handling multiple simultaneous requests (still, only one issuer per instance) - Use the the
-reqinand-respoutarguments detailed inman ocspto process requests on the filesystem instead of launching a full responder. With this, you can use a http server, CGI, and a script to parse the issuer hash field of the OCSP request to tailor your configuration and response to a specific issuer, all from one address/location. This is what I do, and it is no picnic, but you can achieve production load and availability this way if desired.
Upvotes: 0
Related Questions
- OCSP unknown status when passing cert, good status when passing serial
- OpenSSL certificate revocation check in client program using OCSP stapling
- OpenSSL/OCSP Stapling; How to access SSLContext in callback passed to SSL_CTX_set_tlsext_status_cb(...)?
- Why is the OCSP stapling callback called AFTER the verification callback?
- How to create ocsp request using openssl in c++?
- OCSP revocation checking before completing TLS handshake
- Is this invocation of "openssl s_client -connect" actually querying OCSP responder servers to confirm the current validity of certificates?
- openssl ocsp request serial
- Java OCSP Client using openSSL
- why does openssl send the CA certificate in OCSP protocol