[Openswan Users] ocsp & openswan
Andreas Steffen
andreas.steffen at strongsec.net
Fri Jun 17 21:25:49 CEST 2005
Hi David,
by "http post" I mean that OCSP uses the HTTP protocol as a transport
medium. This does not imply that the well-known http port 80 must be
used. If the OCSP server listens on port x then the OCSP URI must
be defined as:
ca strongswan
cacert=strongswanCert.pem
ocspuri=http://ocsp.strongswan.org:x
auto=add
in ipsec.conf or if you include an authorityInfoAccess extension
in the end entity certificates:
authorityInfoAccess=OCSP;URI:http://ocsp.strongswan.org:x
Of course you are free to choose port 80 for the OCSP service.
In that case you won't need to specify any port number in the OCSP URI.
Regards
Andreas
david wrote:
>>Most people don't even use CRLs ;-)
>>
>>If you want a working OCSP solution then switch to strongSwan found at
>>
>> http://www.strongswan.org
>>
>>Regards
>>
>>Andreas
>>
>
>
> Hi Andreas,
>
> I see in the strongswan documentation that an OCSP server can be
> started like this:
>
> openssl ocsp -index index.txt -CA strongswanCert.pem -port 8880 \
> -rkey ocspKey.pem -rsigner ocspCert.pem \
> -resp_no_certs -nmin 60 -text
>
> So this server is listening to the port 8880.
>
> but in the fetch.c file of openswan or strongswan I find that the
> request from the client are sent "via http post using libcurl " (in
> the "fetch_ocsp_status" function).
>
> So the requests are send via http to the ocsp server on port 80 ...
>
> does the server listen to the port 80 too ?
> what did I miss?
>
> david
More information about the Users
mailing list