ocserv and OCSP
Björn Ketelaars
bjorn.ketelaars at hydroxide.nl
Sat Jan 7 12:29:31 PST 2017
>From ocserv(8) it is not clear to me if ocserv automatically picks up an
update of the response file as generated by ocsptool.
Checking the OCSP status from ocserv AFTER an response update from ocsptool
suggests that a restart of ocserv is required:
$ ocsptool --ask --load-cert=cert.pem --load-issuer=chain.pem --outfile ocsp.der
...
Certificate Status: good
This Update: Sat Jan 07 04:00:00 UTC 2017
Next Update: Sat Jan 14 04:00:00 UTC 2017
...
$ nc -cv vpn.domain 443
...
this update: Tue Jan 3 05:00:00 2017
next update: Tue Jan 10 05:00:00 2017
revocation:
...
ocserv(8) also states that the response file needs to be replaced in an atomic
way. If I'm not mistaken this means:
1.) Write output of ocsptool to a temp file;
2.) mv temp file to resonse file (as defined in ocserv.conf: ocsp-response)
Any ideas maybe...or should I just restart ocserv?
--
Björn Ketelaars
GPG key: 0x4F0E5F21
More information about the openconnect-devel
mailing list