[Openswan Users] ocsp & openswan

Andreas Steffen andreas.steffen at strongsec.net
Fri Jun 17 21:25:49 CEST 2005

Hi David,

by "http post" I mean that OCSP uses the HTTP protocol as a transport
medium. This does not imply that the well-known http port 80 must be
used. If the OCSP server listens on port x then the OCSP URI must
be defined as:

ca strongswan

in ipsec.conf or if you include an authorityInfoAccess extension
in the end entity certificates:


Of course you are free to choose port 80 for the OCSP service.
In that case you won't need to specify any port number in the OCSP URI.



david wrote:
>>Most people don't even use CRLs ;-)
>>If you want a working OCSP solution then switch to strongSwan found at
>>  http://www.strongswan.org
> Hi Andreas,
> I see in the strongswan documentation that an OCSP server can be
> started like this:
> openssl ocsp -index index.txt -CA strongswanCert.pem -port 8880 \
>              -rkey ocspKey.pem -rsigner ocspCert.pem \
>              -resp_no_certs -nmin 60 -text
> So this server is listening to the port 8880.
> but in the fetch.c file of openswan or strongswan I find that the
> request from the client are sent "via http post using libcurl " (in
> the "fetch_ocsp_status" function).
> So the requests are send via http to the ocsp server on port 80 ...
> does the server listen to the port  80 too ?
> what did I miss?
> david

More information about the Users mailing list