0

I am new to ssl environment, please bear with me.

The information what I know I am putting here.

By reading the different page of openssl OCSP

I started the server successfully for one issuer by understanding from this post https://stackoverflow.com/a/40877330/358458.

Note that one process uses one 'database' file and supports one issuer. If you need more than one issuer, you could run several processes on different ports and/or different addresses on a machine with multiple addresses.

I have two basic questions, please correct me the questions are invalid.

  1. Is OCSP responder is same for multiple issuers? If so how to make OCSP responder busy?
  2. If not how to make singe issuer responder busy? using any script or more number of requests to?
Mallikarjunarao Kosuri
  • 1,023
  • 7
  • 25
  • 52

1 Answers1

1

I don't understand 'make busy'. If you are looking to perform a denial of service attack, look elsewhere.

It is true that openssl ocsp only supports one issuer per launch, or port in your case. Also, it only supports one request at a time on said port. openssl ocsp is only designed as an example/reference/test responder, not a production OCSP responding server. There are ways around this however;

  • Use a different OCSP responder server program (easiest)
  • Use the openssl ocsp -multi argument to launch a threaded OCSP responder that is capable of handling multiple simultaneous requests (still, only one issuer per instance)
  • Use the the -reqin and -respout arguments detailed in man ocsp to process requests on the filesystem instead of launching a full responder. With this, you can use a http server, CGI, and a script to parse the issuer hash field of the OCSP request to tailor your configuration and response to a specific issuer, all from one address/location. This is what I do, and it is no picnic, but you can achieve production load and availability this way if desired.
Joseph Riopelle
  • 121
  • 1
  • 6