------=_Part_12377_15013519.1193678540897
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Could this be the reason I am having difficulty getting other applications
such as stunnel to use the certificate's AIA? To rephrase the question,
does this code belong within openssl or is the something that an application
has to do? I am not that familar with the openssl API.

On that note, is there any documentation on the API for using OCSP? I have
an client that is using libopenssl to establish a TLS connection and I would
like it to send OCSP requests to the OCSP responders listed in the
certificate's AIA.

Thanks,
Bruce


On 10/29/07, Dr. Stephen Henson wrote:
>
> On Mon, Oct 29, 2007, Bruce Keats wrote:
>
> > Hi,
> >
> > I have been trying for a couple of days now to test an OCSP responder,

> but I
> > am having problems getting the openssl OCSP client to send the OCSP

> requests
> > to the OCSP responder listed in the certificate's AIA. If I use the

> -url
> > option with openssl ocsp command, then it will generate the OCSP

> request,
> > send the request to the URI and decode and print the results. Here is a
> > sample command:
> >
> > openssl ocsp -issuer /tmp/cacert.pem -cert /tmp/bruce-cert.pem -text
> > -CAfile /tmp/cacert.pem -url http://192.168.0.185:80
> >
> > This works!
> >
> > I would have thought that if I remove the -url option from the command

> then
> > openssl would send the OCSP request to the list of OCSP responders in

> the
> > Authority Information Access (AIA) extension. Well, it does

> not. Instead
> > it just prints out the request and exits. I have tried various options
> > without success. I have read the man page many times and did some

> google
> > searches without finding anything that works. I am sure I am

> overlooking
> > the obvious.
> >

>
> Well the obvious in this case is that that functionality is not currently
> supported. It will be added at some point though.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org
>


------=_Part_12377_15013519.1193678540897
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Could this be the reason I am having difficulty getting other applications such as stunnel to use the certificate's AIA?  To rephrase the question, does this code belong within openssl or is the something that an application has to do?  I am not that familar with the openssl API.

 

On that note, is there any documentation on the API for using OCSP?  I have an client that is using libopenssl to establish a TLS connection and I would like it to send OCSP requests to the OCSP responders listed in the certificate's AIA.

 

Thanks,

Bruce

 

On 10/29/07, Dr. Stephen Henson <steve@openssl.org> wrote:
On Mon, Oct 29, 2007, Bruce Keats wrote:

> Hi,
>
> I have been trying for a couple of days now to test an OCSP responder, but I

> am having problems getting the openssl OCSP client to send the OCSP requests
> to the OCSP responder listed in the certificate's AIA.  If I use the -url
> option with openssl ocsp command,  then it will generate the OCSP request,

> send the request to the URI and decode and print the results.  Here is a
> sample command:
>
> openssl ocsp -issuer /tmp/cacert.pem -cert /tmp/bruce-cert.pem -text
> -CAfile /tmp/cacert.pem -url
http://192.168.0.185:80
>
> This works!
>
> I would have thought that if I remove the -url option from the command then
> openssl would send the OCSP request to the list of OCSP responders in the

> Authority Information Access (AIA) extension.  Well, it does not.  Instead
> it just prints out the request and exits.   I have tried various options
> without success.  I have read the man page many times and did some google

> searches without finding anything that works.  I am sure I am overlooking
> the obvious.
>

Well the obvious in this case is that that functionality is not currently
supported. It will be added at some point though.


Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage:
http://www.drh-consultancy.demon.co.uk

__________________________________________________ ____________________
OpenSSL Project                                 http://www.openssl.org

User Support Mailing List                    penssl-users@openssl.org">openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org




------=_Part_12377_15013519.1193678540897--
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org