From: Vyronas T. <vts...@it...> - 2014-10-16 05:53:39
|
CA/B Forum guideline v1.1.9 (since v1.0.3) Section 13.2.6 demands that an OCSP responder should not return GOOD to a request about an unrecognized serial. This patch implements that by logging the unknown serial and returning UNAUTHORIZED to the client. The serials are provided by a file that is specified in the CA configuration. A timeout option is supplied to reload the file each 'timeout' seconds. The serials file must be plaintext with each serial in hex (w/o "0x") and delimited by "\n". The pull request in question is this: https://github.com/openca/openca-ocspd/pull/2 |