You can subscribe to this list here.
2010 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
(2) |
Nov
(10) |
Dec
(8) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2011 |
Jan
(4) |
Feb
(17) |
Mar
(16) |
Apr
(1) |
May
(5) |
Jun
(7) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2012 |
Jan
|
Feb
(5) |
Mar
|
Apr
(4) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
2013 |
Jan
(18) |
Feb
|
Mar
|
Apr
(6) |
May
|
Jun
|
Jul
(3) |
Aug
(5) |
Sep
(12) |
Oct
(6) |
Nov
(6) |
Dec
(4) |
2014 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
(10) |
Jun
|
Jul
(4) |
Aug
(8) |
Sep
(5) |
Oct
|
Nov
(16) |
Dec
(3) |
2015 |
Jan
|
Feb
|
Mar
(12) |
Apr
(40) |
May
(51) |
Jun
(8) |
Jul
(5) |
Aug
|
Sep
(6) |
Oct
|
Nov
(2) |
Dec
|
2016 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
(3) |
Aug
(1) |
Sep
|
Oct
(1) |
Nov
|
Dec
|
2017 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(5) |
Nov
(6) |
Dec
|
2018 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
(5) |
Nov
|
Dec
|
2019 |
Jan
(2) |
Feb
|
Mar
|
Apr
(63) |
May
(2) |
Jun
|
Jul
(2) |
Aug
(4) |
Sep
|
Oct
|
Nov
|
Dec
|
2022 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2024 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Romina R. <rom...@mz...> - 2024-07-31 08:05:16
|
Hi, I hope this message finds you well. I have a problem regarding starting the use of the tool and libpki. downloading the latest release version, I could not run ./configure. However, I downgraded to another version and now I can configure. But using make I have these errors that I cannot fix. can you please help me with them? /usr/bin/ld: pki_tool-pki-tool.o: undefined reference to symbol 'EVP_sha256@@OPENSSL_3.0.0' /usr/bin/ld: /lib/x86_64-linux-gnu/libcrypto.so.3: error adding symbols: DSO missing from command line collect2: error: ld returned 1 exit status make[2]: *** [Makefile:670: pki-tool] Error 1 make[2]: Leaving directory '/etc/libpki/src/tools' make[1]: *** [Makefile:964: all-recursive] Error 1 make[1]: Leaving directory '/etc/libpki/src' make: *** [Makefile:674: all-recursive] Error 1 Kind regards, Romina |
From: 藤本 康 <yas...@ip...> - 2024-06-25 23:20:00
|
Hi, All. I have a trouble to run ocspd-genreq.sh after I installed openca-ocspd using openca-ocspd-3.1.2.tar.gz. If some one give me a point where I have to check, it will help While I am trying to setup RA on the RHEL 8.9, I have download openca-ocspd-3.1.2.tar.gz, configured it and ran /opt/ocspd/bin/ocspd-genreq.sh. I got the following message [root@ttca01 openca-ocspd-3.1.2]# time /opt/ocspd/bin/ocspd-genreq.sh OCSP Key and Certificate Request generation Tool (c) 2009 by Massimiliano Pala and OpenCA Labs All Rights Reserved Please Enter the Server's Subject (eg., CN=OCSP Server, O=OpenCA, C=US): XXXXXXXXXXXXXXXXXXXXXXXXXXXX Please Enter the Algorithm (default: RSA-SHA256): Please Enter the Key Size (default: 2048): Parameters Summary: - prefix ................: /opt/ocspd - token Name ............: ocspServerToken - subject ...............:XXXXXXXXXXXXXXXXXXXXXXXXXXXX - algorithm .............: RSA-SHA256 - key size ..............: 2048 bits This tool uses the pki-tool from libpki. The configuration of the token can be found in '/opt/ocspd/etc/ocspd/pki/token.d' [ Use a password when prompted if you want the server key to be encrypted ] /opt/ocspd/bin/ocspd-genreq.sh: line 61: 3130768 Segmentation fault (core dumped) pki-tool genreq -config "$prefix/etc/ocspd/pki" -outkey "$prefix/etc/ocspd/private/key.pem" -newkey -bits $bits -subject "$subject" -algor "$algor" -out "$prefix/etc/ocspd/req.pem" -batch ERROR, can not complete task. Please check write permissions for target(s) [most probably you need administrator privileges to continue]. real 2m34.598s user 0m0.074s sys 0m0.005s [root@ttca01 openca-ocspd-3.1.2]# “libpki” had been downloaded from https://sourceforge.net/projects/openca/files/libpki/releases/v0.9.0/sources/libpki-0.9.0.tar.gz/download I have run pki-tool command only. The result seems to be same. [root@ttra01 libpki-0.9.0]# pki-tool genreq -config /opt/ocspd/etc/ocspd/pki -outkey /opt/ocspd/etc/ocspd/private/key.pem -newkey -bits 2048 -subject 'xxxxxxxxxxxxxxxxx' -algor RSA-SHA256 -out /opt/ocspd/etc/ocspd/req.pem -batch Segmentation fault (core dumped) [root@ttra01 libpki-0.9.0]# I have tried gdb expecting I get any more info, but I don’t know what I have to do with this. [root@ttra01 libpki-0.9.0]# gdb pki-tool GNU gdb (GDB) Red Hat Enterprise Linux 8.2-20.el8 Copyright (C) 2018 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/. Find the GDB manual and other documentation resources online at: http://www.gnu.org/software/gdb/documentation/. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from pki-tool...done. (gdb) run genreq -config /opt/ocspd/etc/ocspd/pki -outkey /opt/ocspd/etc/ocspd/private/key.pem -newkey -bits 2048 -subject 'xxxxxxxxxxxxxx"' -algor RSA-SHA256 -out /opt/ocspd/etc/ocspd/req.pem -batch Starting program: /usr/bin/pki-tool genreq -config /opt/ocspd/etc/ocspd/pki -outkey /opt/ocspd/etc/ocspd/private/key.pem -newkey -bits 2048 -subject 'xxxxxxxxxxxxxxx"' -algor RSA-SHA256 -out /opt/ocspd/etc/ocspd/req.pem -batch [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00007ffff6f53178 in x509_name_ex_i2d () from /usr/lib64/libcrypto.so.1.1 Missing separate debuginfos, use: yum debuginfo-install cyrus-sasl-lib-2.1.27-6.el8_5.x86_64 glibc-2.28-236.el8.7.x86_64 keyutils-libs-1.5.10-9.el8.x86_64 krb5-libs-1.18.2-25.el8_8.x86_64 libcom_err-1.45.6-5.el8.x86_64 libselinux-2.9-8.el8.x86_64 libxcrypt-4.1.1-6.el8.x86_64 libxml2-2.9.7-16.el8_8.1.x86_64 openldap-2.4.46-18.el8.x86_64 openssl-libs-1.1.1k-9.el8_7.x86_64 pcre2-10.32-3.el8_6.x86_64 xz-libs-5.2.4-4.el8_6.x86_64 zlib-1.2.11-25.el8.x86_64 (gdb) where #0 0x00007ffff6f53178 in x509_name_ex_i2d () from /usr/lib64/libcrypto.so.1.1 #1 0x00007ffff6de67ac in ASN1_item_ex_i2d () from /usr/lib64/libcrypto.so.1.1 #2 0x00007ffff6de6c29 in asn1_template_ex_i2d () from /usr/lib64/libcrypto.so.1.1 #3 0x00007ffff6de66b7 in ASN1_item_ex_i2d () from /usr/lib64/libcrypto.so.1.1 #4 0x00007ffff6de69f7 in asn1_item_flags_i2d () from /usr/lib64/libcrypto.so.1.1 #5 0x00007ffff7b7ae5b in PKI_X509_VALUE_get_tbs_asn1 (v=<optimized out>, type=<optimized out>) at pki_x509.c:529 #6 0x00007ffff7b8c908 in PKI_X509_sign (x=x@entry=0x628e70, digest=digest@entry=0x7ffff7209d00, key=key@entry=0x62ef50) at hsm_main.c:527 #7 0x00007ffff7b84e1c in PKI_X509_REQ_new (k=0x62ef50, subj_s=subj_s@entry=0x7fffffffe485 "C=JP, O=KEK, OU=CRC, CN=\"KEK GRID Certificate Authority\"", req_cnf=req_cnf@entry=0x0, oids=<optimized out>, digest=0x7ffff7209d00, hsm=<optimized out>) at pki_x509_req.c:205 #8 0x00007ffff7b76bd1 in PKI_TOKEN_new_req (profile_s=0x0, subject=0x7fffffffe485 "C=JP, O=KEK, OU=CRC, CN=\"KEK GRID Certificate Authority\"", tk=0x62a4c0) at token.c:2254 #9 PKI_TOKEN_new_req (tk=tk@entry=0x62a4c0, subject=subject@entry=0x7fffffffe485 "C=JP, O=KEK, OU=CRC, CN=\"KEK GRID Certificate Authority\"", profile_s=profile_s@entry=0x0) at token.c:2211 #10 0x0000000000402ef2 in main (argc=<optimized out>, argv=<optimized out>) at pki-tool.c:906 (gdb) If anyone gave me a point where I have to start investigation, it will help me Thankyou Yasushi Fujimoto |
From: ohaya <oh...@ya...> - 2022-05-12 04:45:24
|
Hi, Since I am kind of stuck with using the 2 RPMs to try to install the OCSP responder, I decided to try to build from source. I downloaded the openca-ocspd-master.zip and the libpki-master.zip, I can configure, make, and make install libpki. However when I try to build openca-ocspd using: ./configure --prefix=/apps/oracle/ocspd --with-libpki-prefix=/apps/oracle/libpki That step works, but when I try to compile, I am getting this: make Making all in src make[1]: Entering directory `/tmp/jl/openca-ocspd-master/src' Making all in ocspd make[2]: Entering directory `/tmp/jl/openca-ocspd-master/src/ocspd' gcc -DHAVE_CONFIG_H -I. -I../../src/ocspd/includes -I. -I/apps/oracle/libpki/include -DENABLE_ECDSA=1 -I/usr/include/libxml2 -g -O2 -fstack-check -maccumulate-outgoing-args -Werror -Wfatal-errors -MT ocspd-ocspd.o -MD -MP -MF .deps/ocspd-ocspd.Tpo -c -o ocspd-ocspd.o `test -f 'ocspd.c' || echo './'`ocspd.c mv -f .deps/ocspd-ocspd.Tpo .deps/ocspd-ocspd.Po gcc -DHAVE_CONFIG_H -I. -I../../src/ocspd/includes -I. -I/apps/oracle/libpki/include -DENABLE_ECDSA=1 -I/usr/include/libxml2 -g -O2 -fstack-check -maccumulate-outgoing-args -Werror -Wfatal-errors -MT ocspd-core.o -MD -MP -MF .deps/ocspd-core.Tpo -c -o ocspd-core.o `test -f 'core.c' || echo './'`core.c core.c: In function ‘start_threaded_server’: core.c:55:13: error: ‘PKI_TOKEN_STATUS_KEYPAIR_ERR’ undeclared (first use in this function) if (rv & (PKI_TOKEN_STATUS_KEYPAIR_ERR | ^ compilation terminated due to -Wfatal-errors. make[2]: *** [ocspd-core.o] Error 1 make[2]: Leaving directory `/tmp/jl/openca-ocspd-master/src/ocspd' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/tmp/jl/openca-ocspd-master/src' make: *** [all-recursive] Error 1 If anyone is here, can you tell me what is causing the above error? Thanks, Jim |
From: ohaya <oh...@ya...> - 2022-05-12 02:51:45
|
Hi, I am trying to install the OCSP Responder on a Redhat 7 machine and am having the following problem: [root@ip-192-168-114-98 jl]# rpm -ivh libpki-0.9.0-1.el7.x86_64.rpm Preparing... ################################# [100%] Updating / installing... 1:libpki-0.9.0-1.el7 ################################# [100%] [root@ip-192-168-114-98 jl]# rpm -ivh openca-ocspd-3.1.2-1.el7.x86_64.rpm error: Failed dependencies: libpki.so.89()(64bit) is needed by openca-ocspd-3.1.2-1.el7.x86_64 I've done some searching and found a couple of msgs with the same error, but no solutions. Please advise. Thanks, Jim |
From: ohaya <oh...@ya...> - 2022-05-11 14:40:15
|
Hi, It has been awhile since posting! We are preparing to re-deploy OCSPD to some new RHEL7 machines and I wanted to check if the OCSP Responder v3.1.2 and LibPKI 0.90 RPM downloads below are the correct current ones and are stable? openca-ocspd-3.1.2-1.el7.x86_64.rpm Size: 51 Kb - Downloads: 2418 [Sha1: 43e453fbb8d06e7f1a924d9e49d25cb2074edbdb] libpki-0.9.0-1.el7.x86_64.rpm Size: 339 Kb - Downloads: 1562 [Sha1: 4671e10121141a4537ca1ddaddd776509f9e88db] Thanks, Jim |
From: <oh...@ya...> - 2019-08-06 20:18:55
|
Hi, FYI, please ignore the information below, and also the other email about the other similar situation where I thought that some CRL entries might not be in OCSPD's database from the import. It looks like I had generated the list of serial numbers that was I was using to drive a load test using one set of CRL files, but the actual OCSPD was using a different set of CRL files. Sorry! Jim On Monday, August 5, 2019, 9:33:11 PM UTC, oh...@ya... <oh...@ya...> wrote: Hi, I have testing against one of our CRLs, and in there, we have a cert serial 2FB227. Here's the output from the "openssl crl" for that serial number: Serial Number: 2FB227 Revocation Date: Jul 23 13:43:55 2019 GMT CRL entry extensions: X509v3 CRL Reason Code: Superseded Invalidity Date: Jul 23 13:43:39 2019 GMT However, when I run an "openssl ocspd" (send a request) test, against OpenCA OCSPD with this CRL, I am getting this: OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 9FC23C79C5BC28FDCD3EC6E5201AECCD200DABE4 Issuer Key Hash: 5B91C64436F228F2F8CFB2C2C8CA6349619B200A Serial Number: 2FB227 Request Extensions: OCSP Nonce: 04109ED8FB9BFBBC1900A6B08972EBC308F7 Response verify OK 0x2FB227: good This Update: Aug 5 21:27:45 2019 GMT Next Update: Aug 5 21:32:45 2019 GMT So, it looks like, from the CRL, the cert was Revoked, because it was "superceded", and then when I run an OCSP request for the serial number, OpenCA OCSPD is sending an OCSP response that does not indicate that the cert was revoked? I am not that familiar with the RFC's (and with the "Superceded" reason) but is that a "correct" OCSP response for that revoked entry in the CRL file? Shouldn't OpenCA OCSPD be sending an OCSP response that indicates that the certificate with that serial number has been Revoked? Thanks,Jim |
From: <oh...@ya...> - 2019-08-06 14:54:18
|
Hi, I just realized that the OCSP responses with: Response verify OK 0x17FF15: good This Update: Aug 6 14:18:41 2019 GMT Next Update: Aug 6 14:23:41 2019 GMT are the same as when OCSPD cannot find the serial number?? So it seems like some of the entries that are in the CRL file are NOT in the OCSPD database, i.e., when I do an OCSP request for 17FF15, OCSPD does not have that entry in its database??? Jim On Tuesday, August 6, 2019, 2:25:33 PM UTC, oh...@ya... <oh...@ya...> wrote: Hi, This is similar to a case I mentioned in my previout post, but this time it is for a entry in the CRL that is "Key Compromise". I have testing against one of our CRLs, and in there, we have a cert serial 17FF15. Here's the output from the "openssl crl" for that serial number: Serial Number: 17FF15 Revocation Date: Sep 27 16:41:12 2018 GMT CRL entry extensions: X509v3 CRL Reason Code: Key Compromise However, when I run an "openssl ocspd" (send a request) test, against OpenCA OCSPD with this CRL, I am getting this: OOCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 9FC23C79C5BC28FDCD3EC6E5201AECCD200DABE4 Issuer Key Hash: 5B91C64436F228F2F8CFB2C2C8CA6349619B200A Serial Number: 17FF15 Request Extensions: OCSP Nonce: 0410C4C258A539DD8568B18DD47058D02E75 Response verify OK 0x17FF15: good This Update: Aug 6 14:18:41 2019 GMT Next Update: Aug 6 14:23:41 2019 GMT So, it looks like, from the CRL, the cert was Revoked, because it was "Key Compromise", and then when I run an OCSP request for the serial number, OpenCA OCSPD is sending an OCSP response that does not indicate that the cert was revoked? Again, I am not that familiar with the RFC's but is that a "correct" OCSP response for that revoked entry in the CRL file? Shouldn't OpenCA OCSPD be sending an OCSP response that indicates that the certificate with that serial number has been Revoked? For instance, here is the CRL entry vs. OCSP response for another serial number, 17FF16: Serial Number: 17FF16 Revocation Date: Oct 29 16:55:42 2018 GMT CRL entry extensions: X509v3 CRL Reason Code: Affiliation Changed Invalidity Date: Oct 29 16:49:18 2018 GMT OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 9FC23C79C5BC28FDCD3EC6E5201AECCD200DABE4 Issuer Key Hash: 5B91C64436F228F2F8CFB2C2C8CA6349619B200A Serial Number: 17FF16 Request Extensions: OCSP Nonce: 041070807FF2981BD8E943724399B93011E7 Response verify OK 0x17FF16: revoked This Update: Aug 6 14:23:01 2019 GMT Next Update: Aug 6 14:28:01 2019 GMT Reason: affiliationChanged Revocation Time: Oct 29 16:55:42 2018 GMT Notice the OCSP response for the 17FF16 serial number has: 0x17FF16: revoked and: Reason: affiliationChanged Revocation Time: Oct 29 16:55:42 2018 GMT Thanks, Jim |
From: <oh...@ya...> - 2019-08-06 14:25:47
|
Hi, This is similar to a case I mentioned in my previout post, but this time it is for a entry in the CRL that is "Key Compromise". I have testing against one of our CRLs, and in there, we have a cert serial 17FF15. Here's the output from the "openssl crl" for that serial number: Serial Number: 17FF15 Revocation Date: Sep 27 16:41:12 2018 GMT CRL entry extensions: X509v3 CRL Reason Code: Key Compromise However, when I run an "openssl ocspd" (send a request) test, against OpenCA OCSPD with this CRL, I am getting this: OOCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 9FC23C79C5BC28FDCD3EC6E5201AECCD200DABE4 Issuer Key Hash: 5B91C64436F228F2F8CFB2C2C8CA6349619B200A Serial Number: 17FF15 Request Extensions: OCSP Nonce: 0410C4C258A539DD8568B18DD47058D02E75 Response verify OK 0x17FF15: good This Update: Aug 6 14:18:41 2019 GMT Next Update: Aug 6 14:23:41 2019 GMT So, it looks like, from the CRL, the cert was Revoked, because it was "Key Compromise", and then when I run an OCSP request for the serial number, OpenCA OCSPD is sending an OCSP response that does not indicate that the cert was revoked? Again, I am not that familiar with the RFC's but is that a "correct" OCSP response for that revoked entry in the CRL file? Shouldn't OpenCA OCSPD be sending an OCSP response that indicates that the certificate with that serial number has been Revoked? For instance, here is the CRL entry vs. OCSP response for another serial number, 17FF16: Serial Number: 17FF16 Revocation Date: Oct 29 16:55:42 2018 GMT CRL entry extensions: X509v3 CRL Reason Code: Affiliation Changed Invalidity Date: Oct 29 16:49:18 2018 GMT OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 9FC23C79C5BC28FDCD3EC6E5201AECCD200DABE4 Issuer Key Hash: 5B91C64436F228F2F8CFB2C2C8CA6349619B200A Serial Number: 17FF16 Request Extensions: OCSP Nonce: 041070807FF2981BD8E943724399B93011E7 Response verify OK 0x17FF16: revoked This Update: Aug 6 14:23:01 2019 GMT Next Update: Aug 6 14:28:01 2019 GMT Reason: affiliationChanged Revocation Time: Oct 29 16:55:42 2018 GMT Notice the OCSP response for the 17FF16 serial number has: 0x17FF16: revoked and: Reason: affiliationChanged Revocation Time: Oct 29 16:55:42 2018 GMT Thanks, Jim |
From: <oh...@ya...> - 2019-08-05 21:33:18
|
Hi, I have testing against one of our CRLs, and in there, we have a cert serial 2FB227. Here's the output from the "openssl crl" for that serial number: Serial Number: 2FB227 Revocation Date: Jul 23 13:43:55 2019 GMT CRL entry extensions: X509v3 CRL Reason Code: Superseded Invalidity Date: Jul 23 13:43:39 2019 GMT However, when I run an "openssl ocspd" (send a request) test, against OpenCA OCSPD with this CRL, I am getting this: OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 9FC23C79C5BC28FDCD3EC6E5201AECCD200DABE4 Issuer Key Hash: 5B91C64436F228F2F8CFB2C2C8CA6349619B200A Serial Number: 2FB227 Request Extensions: OCSP Nonce: 04109ED8FB9BFBBC1900A6B08972EBC308F7 Response verify OK 0x2FB227: good This Update: Aug 5 21:27:45 2019 GMT Next Update: Aug 5 21:32:45 2019 GMT So, it looks like, from the CRL, the cert was Revoked, because it was "superceded", and then when I run an OCSP request for the serial number, OpenCA OCSPD is sending an OCSP response that does not indicate that the cert was revoked? I am not that familiar with the RFC's (and with the "Superceded" reason) but is that a "correct" OCSP response for that revoked entry in the CRL file? Shouldn't OpenCA OCSPD be sending an OCSP response that indicates that the certificate with that serial number has been Revoked? Thanks,Jim |
From: Dr. P. <ma...@op...> - 2019-07-21 15:52:53
|
Hi Jim, sorry it took me so much time to reply - I admit I missed your message :D For adding a support for DB lookup instead of Memory lookup, the effort should be not that much. The way I would architect the project would be to add support for the specific DB (in LibPKI Pg and MySQL are already supported in the URL interface, however I would not suggest to query the database through that interface as it is not optimized for speed :D), then I would: * Upon CRL loading, I would add a function that takes the single entries and put them in the database (and maybe remove the entries that are expired - sort of cleanup) and then remove the CRL from memory (freeing the memory) * Repeat for all the CRLs you want to serve This might work but you have to be sure you are not updating the DB from different instances of the sevice (i.e., there must be a master that updates the DB while all the other instances only perform lookup operations in the DB). Possibly, the process that updates the DB could be a separate one (not necessarily the OCSPD), while the OCSPD would only perform queries to build the responses. Does this make sense ? Were you thinking about a different type of architecture ? Cheers, Max On 7/11/19 9:47 AM, oh...@ya... wrote: > Hi, > > Sorry that it's been awhile since your message below. > > We *MAY* be able to provide support for adding the DB option, but, if > it is not too much trouble, can you give a high-level description of > what would be done? I am still pushing for it here, but I am not 100% > sure yet. > > Also, would the modifications be in Java? Or in C/C++? > > Thanks, > Jim > > > > On Sunday, May 26, 2019, 11:30:31 PM UTC, Dr. Pala > <ma...@op...> wrote: > > > Hi Jim, > > interesting issue - something I have not considered (memory usage). > Unfortunately, the memory usage will not be different because, in the > end, after one of the supported/specific transport protocol is used > (i.e., LDAP, HTTP, HTTPS, MySQL, PgSQL, etc.) the CRL is then parsed > and entries are created based on the entries in the CRL. > > One solution to your problem, maybe, would be to sacrifice the speed > of response for the possibility to instantiate OCSPDs in small > containters/VMs. My assumption is that disk-space is not an issue. > > We could think about modifying the OCSPD to work off a small DB4 or > similar... this would allow us to create entries in the DB (filesystem > entries instead of memory entries). This might require additional time > at CRL reload, but the memory usage would be practically constant with > the growing of CRLs. > > We have been working recently to make sure LibPKI works well with > OpenSSL 1.1.+ branches (and add support for CMS in the same context), > and the next update I was thinking was related to two different things: > > * Adding a simple Cache mechanism so that the same answer can be > cached for its validity period (or up to 80% of its validity > period). This would improve the speed for high-frequency > certificates' checks > * Adding support for OCSPv2 (and DNS distribution end-points). This > is something we have been working for a while and would like to > standardize at some point. The main idea is to provide responses > for "ranges" of certificates instead of for each of the issued > certificates. This would provide smaller overhead when large > chunks of the issued certs space are not revoked. For revoked > entries, there is no much optimization we can do since you need > the full revocation data there. > > I guess we can add the low-memory architecture as another enhancement, > but I am not sure I have the bandwidth right now to work on that - > would you like to work on that together and provide some initial > thoughts / code ? > > Cheers, > Max > > On 5/24/19 1:00 PM, o haya via Openca-ocspd wrote: > Hi, > > I had asked this question awhile ago, but no one responded, so I would > like to ask again. > > We currently use OCSPD with multiple CRLs (from different CAs). Some > of these CRLs are quite large, and so the OCSPD memory usage is quite > large. > > However, we have some scenarios where we have machines with only much > smaller memory, but we would still like to use OCSPD and with the same > CRLs. > > All of our machines include an LDAP server, and from the docs, it > seems like OCSPD can work with CRLs in LDAP servers, so we were > wondering if we made our own tool to import the CRL contents into the > LDAP server, and configured OCSPD to use the CRLs in the LDAP server, > do you think/know if the overall memory usage would be reduced, > compared to our current configuration? > > I understand that the memory usage of the LDAP server, when populated > with the CRLs, MIGHT be the same, and if so, we'd end up in a > "zero-sum" situation, but I wanted to check what you all thought? Has > anyone used OCSPD with the CRL information in an LDAP? > > Thanks, > Jim > > > _______________________________________________ > Openca-ocspd mailing list > Ope...@li... <mailto:Ope...@li...> > https://lists.sourceforge.net/lists/listinfo/openca-ocspd > -- > Best Regards, > Massimiliano Pala, Ph.D. > OpenCA Labs Director > OpenCA Logo > _______________________________________________ > Openca-ocspd mailing list > Ope...@li... > <mailto:Ope...@li...> > https://lists.sourceforge.net/lists/listinfo/openca-ocspd -- Best Regards, Massimiliano Pala, Ph.D. OpenCA Labs Director OpenCA Logo |
From: <oh...@ya...> - 2019-07-11 13:47:55
|
Hi, Sorry that it's been awhile since your message below. We *MAY* be able to provide support for adding the DB option, but, if it is not too much trouble, can you give a high-level description of what would be done? I am still pushing for it here, but I am not 100% sure yet. Also, would the modifications be in Java? Or in C/C++? Thanks,Jim On Sunday, May 26, 2019, 11:30:31 PM UTC, Dr. Pala <ma...@op...> wrote: Hi Jim, interesting issue - something I have not considered (memory usage). Unfortunately, the memory usage will not be different because, in the end, after one of the supported/specific transport protocol is used (i.e., LDAP, HTTP, HTTPS, MySQL, PgSQL, etc.) the CRL is then parsed and entries are created based on the entries in the CRL. One solution to your problem, maybe, would be to sacrifice the speed of response for the possibility to instantiate OCSPDs in small containters/VMs. My assumption is that disk-space is not an issue. We could think about modifying the OCSPD to work off a small DB4 or similar... this would allow us to create entries in the DB (filesystem entries instead of memory entries). This might require additional time at CRL reload, but the memory usage would be practically constant with the growing of CRLs. We have been working recently to make sure LibPKI works well with OpenSSL 1.1.+ branches (and add support for CMS in the same context), and the next update I was thinking was related to two different things: - Adding a simple Cache mechanism so that the same answer can be cached for its validity period (or up to 80% of its validity period). This would improve the speed for high-frequency certificates' checks - Adding support for OCSPv2 (and DNS distribution end-points). This is something we have been working for a while and would like to standardize at some point. The main idea is to provide responses for "ranges" of certificates instead of for each of the issued certificates. This would provide smaller overhead when large chunks of the issued certs space are not revoked. For revoked entries, there is no much optimization we can do since you need the full revocation data there. I guess we can add the low-memory architecture as another enhancement, but I am not sure I have the bandwidth right now to work on that - would you like to work on that together and provide some initial thoughts / code ? Cheers, Max On 5/24/19 1:00 PM, o haya via Openca-ocspd wrote: Hi, I had asked this question awhile ago, but no one responded, so I would like to ask again. We currently use OCSPD with multiple CRLs (from different CAs). Some of these CRLs are quite large, and so the OCSPD memory usage is quite large. However, we have some scenarios where we have machines with only much smaller memory, but we would still like to use OCSPD and with the same CRLs. All of our machines include an LDAP server, and from the docs, it seems like OCSPD can work with CRLs in LDAP servers, so we were wondering if we made our own tool to import the CRL contents into the LDAP server, and configured OCSPD to use the CRLs in the LDAP server, do you think/know if the overall memory usage would be reduced, compared to our current configuration? I understand that the memory usage of the LDAP server, when populated with the CRLs, MIGHT be the same, and if so, we'd end up in a "zero-sum" situation, but I wanted to check what you all thought? Has anyone used OCSPD with the CRL information in an LDAP? Thanks, Jim _______________________________________________ Openca-ocspd mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openca-ocspd -- Best Regards, Massimiliano Pala, Ph.D. OpenCA Labs Director _______________________________________________ Openca-ocspd mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openca-ocspd |
From: Dr. P. <ma...@op...> - 2019-05-26 23:30:22
|
Hi Jim, interesting issue - something I have not considered (memory usage). Unfortunately, the memory usage will not be different because, in the end, after one of the supported/specific transport protocol is used (i.e., LDAP, HTTP, HTTPS, MySQL, PgSQL, etc.) the CRL is then parsed and entries are created based on the entries in the CRL. One solution to your problem, maybe, would be to sacrifice the speed of response for the possibility to instantiate OCSPDs in small containters/VMs. My assumption is that disk-space is not an issue. We could think about modifying the OCSPD to work off a small DB4 or similar... this would allow us to create entries in the DB (filesystem entries instead of memory entries). This might require additional time at CRL reload, but the memory usage would be practically constant with the growing of CRLs. We have been working recently to make sure LibPKI works well with OpenSSL 1.1.+ branches (and add support for CMS in the same context), and the next update I was thinking was related to two different things: * Adding a simple Cache mechanism so that the same answer can be cached for its validity period (or up to 80% of its validity period). This would improve the speed for high-frequency certificates' checks * Adding support for OCSPv2 (and DNS distribution end-points). This is something we have been working for a while and would like to standardize at some point. The main idea is to provide responses for "ranges" of certificates instead of for each of the issued certificates. This would provide smaller overhead when large chunks of the issued certs space are not revoked. For revoked entries, there is no much optimization we can do since you need the full revocation data there. I guess we can add the low-memory architecture as another enhancement, but I am not sure I have the bandwidth right now to work on that - would you like to work on that together and provide some initial thoughts / code ? Cheers, Max On 5/24/19 1:00 PM, o haya via Openca-ocspd wrote: > Hi, > > I had asked this question awhile ago, but no one responded, so I would > like to ask again. > > We currently use OCSPD with multiple CRLs (from different CAs). Some > of these CRLs are quite large, and so the OCSPD memory usage is quite > large. > > However, we have some scenarios where we have machines with only much > smaller memory, but we would still like to use OCSPD and with the same > CRLs. > > All of our machines include an LDAP server, and from the docs, it > seems like OCSPD can work with CRLs in LDAP servers, so we were > wondering if we made our own tool to import the CRL contents into the > LDAP server, and configured OCSPD to use the CRLs in the LDAP server, > do you think/know if the overall memory usage would be reduced, > compared to our current configuration? > > I understand that the memory usage of the LDAP server, when populated > with the CRLs, MIGHT be the same, and if so, we'd end up in a > "zero-sum" situation, but I wanted to check what you all thought? Has > anyone used OCSPD with the CRL information in an LDAP? > > Thanks, > Jim > > > _______________________________________________ > Openca-ocspd mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openca-ocspd -- Best Regards, Massimiliano Pala, Ph.D. OpenCA Labs Director OpenCA Logo |
From: o h. <oh...@ya...> - 2019-05-24 19:00:28
|
Hi, I had asked this question awhile ago, but no one responded, so I would like to ask again. We currently use OCSPD with multiple CRLs (from different CAs). Some of these CRLs are quite large, and so the OCSPD memory usage is quite large. However, we have some scenarios where we have machines with only much smaller memory, but we would still like to use OCSPD and with the same CRLs. All of our machines include an LDAP server, and from the docs, it seems like OCSPD can work with CRLs in LDAP servers, so we were wondering if we made our own tool to import the CRL contents into the LDAP server, and configured OCSPD to use the CRLs in the LDAP server, do you think/know if the overall memory usage would be reduced, compared to our current configuration? I understand that the memory usage of the LDAP server, when populated with the CRLs, MIGHT be the same, and if so, we'd end up in a "zero-sum" situation, but I wanted to check what you all thought? Has anyone used OCSPD with the CRL information in an LDAP? Thanks,Jim |
From: Martin H. <he...@hl...> - 2019-04-30 09:57:06
|
Hi Jim, I'm not maintainer of the projects. Max (Dr. Massimiliano Pala) is the owner of the projects and he has to do the merge (or someone else to whom he might have granted the privileges to do so). Anyhow, I have created pull requests (https://github.com/openca/libpki/pull/41 and https://github.com/openca/openca-ocspd/pull/46) to merge the necessary changes upstream. I'll let you know when they are accepted and merged. Cheers, Martin On 4/27/19 1:24 AM, o haya wrote: > [...] > > Martin, > Can you let me know when you have done the commit and merge(?) and I will try to rebuild again after that? > Thanks!! > Jim > > |
From: o h. <oh...@ya...> - 2019-04-26 23:24:37
|
Hi, Please ignore what I said about the error. I think that there was something wrong with my configuration files. I ran the newest ocspd (built using the 2nd bugfixes + the patch): /apps/oracle/ocspd-bugfixes-2/sbin/ocspd -c /apps/oracle/ocspd/etc/ocspd/ocspd.xml -debug -stdout -v and then the new ocspd started up correctly. So, bottom line is it appears that the ocspd can be built on RHEL 6.10 using gcc 4.4.7 with the 2nd bugfixes + the patch for general.h. Martin, Can you let me know when you have done the commit and merge(?) and I will try to rebuild again after that? Thanks!! Jim On Friday, April 26, 2019, 9:11:54 PM UTC, o haya via Openca-ocspd <ope...@li...> wrote: Hi, I think that I needed to also run the patch that you provided awhile ago. After I did that, I was able to build ocspd. However, I am having trouble running the new ocspd. I get the following when only the self-cert.xml is in the ca.d directory: [orcladmin@ip-192-168-0-95 sbin]$ ls /apps/oracle/ocspd-bugfixes-2/etc/ocspd/ca.d BACKUP self-certs.xml [orcladmin@ip-192-168-0-95 sbin]$ /apps/oracle/ocspd-bugfixes-2/sbin/ocspd -c /apps/oracle/ocspd-bugfixes-2/etc/ocspd/ocspd.xml -debug -stdout -v OpenCA's OCSP Responder - v3.1.2 (Build: Fri Apr 26 20:37:46 UTC 2019) (c) 2002-2018 by Massimiliano Pala and OpenCA Project OpenCA licensed software Apr 26 21:10:05 2019 GMT [18470] GENERAL: OpenCA OCSPD v3.1.2 (Fri Apr 26 20:37:46 UTC 2019)- starting. Apr 26 21:10:05 2019 GMT [18470] INFO: [token.c:2574] [DEBUG] ERROR, can not load directory /home/orcladmin/.libpki/profile.d! Apr 26 21:10:05 2019 GMT [18470] INFO: [token.c:831] [DEBUG] Can not load profiles (/home/orcladmin/.libpki/profile.d) Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:866] [DEBUG] Skipping file .. Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:866] [DEBUG] Skipping file . Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:866] [DEBUG] Skipping file BACKUP Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:876] [DEBUG] Loading file /apps/oracle/ocspd-bugfixes-2/etc/ocspd/ca.d/self-certs.xml Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:892] [DEBUG] Loaded /apps/oracle/ocspd-bugfixes-2/etc/ocspd/ca.d/self-certs.xml file Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/security/chrootDir, Position: -1] Apr 26 21:10:05 2019 GMT [18470] INFO: [config.c:277] [DEBUG] Selected response digest algorithm: SHA1 Apr 26 21:10:05 2019 GMT [18470] INFO: [config.c:298] [DEBUG] Selected signature digest algorithm: SHA256 Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbUrl, Position: -1] Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbPersistant, Position: -1] Apr 26 21:10:05 2019 GMT [18470] INFO: [config.c:394] [DEBUG] Building CA List Apr 26 21:10:05 2019 GMT [18470] GENERAL: Processing Configuration for [CA: MySelf] Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1] Apr 26 21:10:05 2019 GMT [18470] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL [] Apr 26 21:10:05 2019 GMT [18470] ERROR: [config.c:475] [ERROR] Can not get CA cert [CA: etc/ocspd/certs/cacert.pem, URL: MySelf] Apr 26 21:10:05 2019 GMT [18470] INFO: Configuration loaded and parsed Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:784] [DEBUG] GOT SEARCH PATHS => 1 Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:797] [DEBUG] SEARCHING FOR ocspServerToken in dir /apps/oracle/ocspd-bugfixes-2/etc/ocspd/pki/token.d Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:692] [DEBUG] Processing file [..] Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:696] [DEBUG] Skipping .. Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:692] [DEBUG] Processing file [eracom.xml] Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:710] [DEBUG] Opening File /apps/oracle/ocspd-bugfixes-2/etc/ocspd/pki/token.d/eracom.xml Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:722] [DEBUG] Getting Name Param... Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:728] [DEBUG] Got Name::Eracom Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:692] [DEBUG] Processing file [software.xml] Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:710] [DEBUG] Opening File /apps/oracle/ocspd-bugfixes-2/etc/ocspd/pki/token.d/software.xml Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:722] [DEBUG] Getting Name Param... Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:728] [DEBUG] Got Name::ocspServerToken Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:736] [DEBUG] File successfully loaded /apps/oracle/ocspd-bugfixes-2/etc/ocspd/pki/token.d/software.xml Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:801] [DEBUG] FOUND => ocspServerToken [/apps/oracle/ocspd-bugfixes-2/etc/ocspd/pki/token.d] Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /tokenConfig/password, Position: -1] Apr 26 21:10:05 2019 GMT [18470] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL [▒▒▒] Apr 26 21:10:05 2019 GMT [18470] ERROR: [token.c:692] Can not load Token certificate Apr 26 21:10:05 2019 GMT [18470] ERROR: [token.c:839] Can not load Token's Profile => ocspServerToken Apr 26 21:10:05 2019 GMT [18470] ERROR: [core.c:42] [ERROR] Can not load default token (/apps/oracle/ocspd-bugfixes-2/etc/ocspd/ocspd.xml/ocspServerToken) Apr 26 21:10:05 2019 GMT [18470] NOTICE: Exiting, Glad to serve you, Master! In other words, it just starts and then dies/exits. Jim On Friday, April 26, 2019, 5:58:40 PM UTC, o haya via Openca-ocspd <ope...@li...> wrote: Hi Martin, So I should just download this ZIP and re-build libpki: https://github.com/mrbaseman/libpki/tree/bugfixes ? Do I have to wait for a merge? Or do I just download the above? Thanks,Jim On Thursday, April 25, 2019, 3:06:45 PM UTC, Martin Hecht <he...@hl...> wrote: Hi Jim, I think I have found the problem, at least with https://github.com/mrbaseman/libpki/commit/34fe3f3febb37f7b40cc03bc4f8dd99dbab209f7 ocspd loads our crl when compiled on SL 6 and does not crash anymore. The commit is in my "bugfixes" branch. @Max: It has been added to #41 for libpki, and I have also opened #46 for ocspd for building it on RHEL 6.x and derivates Cheers, Martin On 4/19/19 1:24 AM, o haya via Openca-ocspd wrote: > Hi, > Do you have any idea about what is causing the segfault? It seems like the only CRL it works with now is the collegeca one (at least for me). What is it about the collegeca one that allows it to work? > Thanks,Jim > > _______________________________________________ Openca-ocspd mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openca-ocspd _______________________________________________ Openca-ocspd mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openca-ocspd |
From: o h. <oh...@ya...> - 2019-04-26 21:11:46
|
Hi, I think that I needed to also run the patch that you provided awhile ago. After I did that, I was able to build ocspd. However, I am having trouble running the new ocspd. I get the following when only the self-cert.xml is in the ca.d directory: [orcladmin@ip-192-168-0-95 sbin]$ ls /apps/oracle/ocspd-bugfixes-2/etc/ocspd/ca.d BACKUP self-certs.xml [orcladmin@ip-192-168-0-95 sbin]$ /apps/oracle/ocspd-bugfixes-2/sbin/ocspd -c /apps/oracle/ocspd-bugfixes-2/etc/ocspd/ocspd.xml -debug -stdout -v OpenCA's OCSP Responder - v3.1.2 (Build: Fri Apr 26 20:37:46 UTC 2019) (c) 2002-2018 by Massimiliano Pala and OpenCA Project OpenCA licensed software Apr 26 21:10:05 2019 GMT [18470] GENERAL: OpenCA OCSPD v3.1.2 (Fri Apr 26 20:37:46 UTC 2019)- starting. Apr 26 21:10:05 2019 GMT [18470] INFO: [token.c:2574] [DEBUG] ERROR, can not load directory /home/orcladmin/.libpki/profile.d! Apr 26 21:10:05 2019 GMT [18470] INFO: [token.c:831] [DEBUG] Can not load profiles (/home/orcladmin/.libpki/profile.d) Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:866] [DEBUG] Skipping file .. Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:866] [DEBUG] Skipping file . Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:866] [DEBUG] Skipping file BACKUP Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:876] [DEBUG] Loading file /apps/oracle/ocspd-bugfixes-2/etc/ocspd/ca.d/self-certs.xml Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:892] [DEBUG] Loaded /apps/oracle/ocspd-bugfixes-2/etc/ocspd/ca.d/self-certs.xml file Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/security/chrootDir, Position: -1] Apr 26 21:10:05 2019 GMT [18470] INFO: [config.c:277] [DEBUG] Selected response digest algorithm: SHA1 Apr 26 21:10:05 2019 GMT [18470] INFO: [config.c:298] [DEBUG] Selected signature digest algorithm: SHA256 Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbUrl, Position: -1] Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbPersistant, Position: -1] Apr 26 21:10:05 2019 GMT [18470] INFO: [config.c:394] [DEBUG] Building CA List Apr 26 21:10:05 2019 GMT [18470] GENERAL: Processing Configuration for [CA: MySelf] Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1] Apr 26 21:10:05 2019 GMT [18470] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL [] Apr 26 21:10:05 2019 GMT [18470] ERROR: [config.c:475] [ERROR] Can not get CA cert [CA: etc/ocspd/certs/cacert.pem, URL: MySelf] Apr 26 21:10:05 2019 GMT [18470] INFO: Configuration loaded and parsed Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:784] [DEBUG] GOT SEARCH PATHS => 1 Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:797] [DEBUG] SEARCHING FOR ocspServerToken in dir /apps/oracle/ocspd-bugfixes-2/etc/ocspd/pki/token.d Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:692] [DEBUG] Processing file [..] Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:696] [DEBUG] Skipping .. Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:692] [DEBUG] Processing file [eracom.xml] Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:710] [DEBUG] Opening File /apps/oracle/ocspd-bugfixes-2/etc/ocspd/pki/token.d/eracom.xml Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:722] [DEBUG] Getting Name Param... Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:728] [DEBUG] Got Name::Eracom Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:692] [DEBUG] Processing file [software.xml] Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:710] [DEBUG] Opening File /apps/oracle/ocspd-bugfixes-2/etc/ocspd/pki/token.d/software.xml Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:722] [DEBUG] Getting Name Param... Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:728] [DEBUG] Got Name::ocspServerToken Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:736] [DEBUG] File successfully loaded /apps/oracle/ocspd-bugfixes-2/etc/ocspd/pki/token.d/software.xml Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:801] [DEBUG] FOUND => ocspServerToken [/apps/oracle/ocspd-bugfixes-2/etc/ocspd/pki/token.d] Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /tokenConfig/password, Position: -1] Apr 26 21:10:05 2019 GMT [18470] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL [▒▒▒] Apr 26 21:10:05 2019 GMT [18470] ERROR: [token.c:692] Can not load Token certificate Apr 26 21:10:05 2019 GMT [18470] ERROR: [token.c:839] Can not load Token's Profile => ocspServerToken Apr 26 21:10:05 2019 GMT [18470] ERROR: [core.c:42] [ERROR] Can not load default token (/apps/oracle/ocspd-bugfixes-2/etc/ocspd/ocspd.xml/ocspServerToken) Apr 26 21:10:05 2019 GMT [18470] NOTICE: Exiting, Glad to serve you, Master! In other words, it just starts and then dies/exits. Jim On Friday, April 26, 2019, 5:58:40 PM UTC, o haya via Openca-ocspd <ope...@li...> wrote: Hi Martin, So I should just download this ZIP and re-build libpki: https://github.com/mrbaseman/libpki/tree/bugfixes ? Do I have to wait for a merge? Or do I just download the above? Thanks,Jim On Thursday, April 25, 2019, 3:06:45 PM UTC, Martin Hecht <he...@hl...> wrote: Hi Jim, I think I have found the problem, at least with https://github.com/mrbaseman/libpki/commit/34fe3f3febb37f7b40cc03bc4f8dd99dbab209f7 ocspd loads our crl when compiled on SL 6 and does not crash anymore. The commit is in my "bugfixes" branch. @Max: It has been added to #41 for libpki, and I have also opened #46 for ocspd for building it on RHEL 6.x and derivates Cheers, Martin On 4/19/19 1:24 AM, o haya via Openca-ocspd wrote: > Hi, > Do you have any idea about what is causing the segfault? It seems like the only CRL it works with now is the collegeca one (at least for me). What is it about the collegeca one that allows it to work? > Thanks,Jim > > _______________________________________________ Openca-ocspd mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openca-ocspd |
From: o h. <oh...@ya...> - 2019-04-26 17:58:33
|
Hi Martin, So I should just download this ZIP and re-build libpki: https://github.com/mrbaseman/libpki/tree/bugfixes ? Do I have to wait for a merge? Or do I just download the above? Thanks,Jim On Thursday, April 25, 2019, 3:06:45 PM UTC, Martin Hecht <he...@hl...> wrote: Hi Jim, I think I have found the problem, at least with https://github.com/mrbaseman/libpki/commit/34fe3f3febb37f7b40cc03bc4f8dd99dbab209f7 ocspd loads our crl when compiled on SL 6 and does not crash anymore. The commit is in my "bugfixes" branch. @Max: It has been added to #41 for libpki, and I have also opened #46 for ocspd for building it on RHEL 6.x and derivates Cheers, Martin On 4/19/19 1:24 AM, o haya via Openca-ocspd wrote: > Hi, > Do you have any idea about what is causing the segfault? It seems like the only CRL it works with now is the collegeca one (at least for me). What is it about the collegeca one that allows it to work? > Thanks,Jim > > |
From: Martin H. <he...@hl...> - 2019-04-25 15:06:53
|
Hi Jim, I think I have found the problem, at least with https://github.com/mrbaseman/libpki/commit/34fe3f3febb37f7b40cc03bc4f8dd99dbab209f7 ocspd loads our crl when compiled on SL 6 and does not crash anymore. The commit is in my "bugfixes" branch. @Max: It has been added to #41 for libpki, and I have also opened #46 for ocspd for building it on RHEL 6.x and derivates Cheers, Martin On 4/19/19 1:24 AM, o haya via Openca-ocspd wrote: > Hi, > Do you have any idea about what is causing the segfault? It seems like the only CRL it works with now is the collegeca one (at least for me). What is it about the collegeca one that allows it to work? > Thanks,Jim > > |
From: o h. <oh...@ya...> - 2019-04-22 12:26:46
|
Hi, Sorry. I was re-reading my message below, and I think that the last line was kind of unclear. What I meant to say with that last line was: "That seems to suggest that it is at least POSSIBLE, to get an ocspd THAT IS BUILT ON RHEL 6.10, to run on RHEL 6.10?" Mind you, I don't know *HOW* to do that yet, because the ocspd that I built on RHEL 6.10 segfaults when I run it with any of our CRLs configured (but the ocspd that I built on RHEL 6.10 does work when only the collegeca CRL is configured). So I am trying to figure out what is different between the collegeca CRL configuration vs. any of my CRL configurations, which is causing ocspd to segfault. I have tried running in debug and that doesn't really provide much info (it just segfaults) and also tried running ocspd under strace and again, that doesn't give much additional information. Thanks,Jim On Friday, April 19, 2019, 10:07:05 AM UTC, o haya via Openca-ocspd <ope...@li...> wrote: Hi, I think that I posted about this earlier, and that I was able to get ocspd running on a RHEL 6.10 instance, by building libpki and ocspd on a RHEL 7.6 system, and then copying of the libpki folder and the ocspd folder from the RHEL 7.6 system to the target RHEL 6.10 instance and then building "parallel" GLIBC 2.14 on the RHEL 6.10 system and adding that parallel GLIBC 2.14 to the LD_LIBRARY_PATH. And that ocspd on RHEL 6.10 then seemed to be able to run, including our normal CRL files, etc. in the configuration. That seems to suggest that it is at least possible to get the ocspd to run on RHEL 6.10? Jim On Thursday, April 18, 2019, 11:24:53 PM UTC, o haya via Openca-ocspd <ope...@li...> wrote: Hi, Do you have any idea about what is causing the segfault? It seems like the only CRL it works with now is the collegeca one (at least for me). What is it about the collegeca one that allows it to work? Thanks,Jim On Thursday, April 18, 2019, 4:15:55 PM UTC, o haya <oh...@ya...> wrote: [Added the mailing list back into the email... Sorry] On Thursday, April 18, 2019, 3:04:24 PM UTC, o haya <oh...@ya...> wrote: I ran the ocspd pointing to our configuration and it looks like this is where it is blowing up: ./ocspd -c /apps/oracle/ocspd/etc/ocspd/ocspd.xml -debug -stdout ... Apr 18 14:57:37 2019 GMT [10335] INFO: [config.c:394] [DEBUG] Building CA List Apr 18 14:57:37 2019 GMT [10335] GENERAL: Processing Configuration for [CA: EntrustCA.crl] Apr 18 14:57:37 2019 GMT [10335] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1] Apr 18 14:57:37 2019 GMT [10335] INFO: [config.c:623] [DEBUG] CRL Downloading Process Started [CA: EntrustCA.crl, URL: file:///apps/oracle/crl/golden/EntrustCA.crl] Apr 18 14:57:37 2019 GMT [10335] INFO: [config.c:837] [DEBUG] CRL loaded successfully [URL: file:///apps/oracle/crl/golden/EntrustCA.crl] Apr 18 14:57:37 2019 GMT [10335] INFO: [crl.c:213] [DEBUG] Got the public key from the CA cert [Scheme: RSA, Key Size: 2048] Segmentation fault (core dumped) On Thursday, April 18, 2019, 2:49:28 PM UTC, o haya <oh...@ya...> wrote: Hi, Oh oh... I got the following when I ran ocspd using our normal config files, etc.: [root@ip-192-168-0-95 init.d]# ./ocspd-bugfixes start Starting OCSP Responder: ./ocspd-bugfixes: line 39: 10259 Segmentation fault (core dumped) ${ocspd} -c "${conf}" -d Error, check logs! Where do I look for the logs that it is mentioning? Jim On Thursday, April 18, 2019, 10:59:51 AM UTC, Martin Hecht <he...@hl...> wrote: Hi Jim, looks good so far. You still have the example files in the config (the College ca, Darmouth and example Token configurations, and as far as I can see you have not configured your own CRL location, ca cert etc.). At least in my environment it did not work to the point where it sais "NOTICE: Exiting, Glad to serve you, Master!" in debug mode. It has crashed earlier, but maybe it's something with loading the certificate or the crl from file. But maybe you don't run into that problem (e.g. because your ca uses different algorithms). Martin On 4/18/19 12:36 PM, o haya wrote: > Hi Martin, > I applied the patch file to general.h, and I was able to do the make and make install (FYI, I built the libpki and ocspd into /apps/oracle/libpki-bugfixes and /apps/oracle/ocspd-bugfixes, respectively). > > Then, I did a test on RHEL 6.10, and I *think* it worked??? > > Here's the "-debug -stdout" output: > [orcladmin@ip-192-168-0-95 sbin]$ $ocspd -c $conf -debug -stdout > > OpenCA's OCSP Responder - v3.1.2 (Build: Thu Apr 18 10:21:33 UTC 2019) > (c) 2002-2018 by Massimiliano Pala and OpenCA Project > OpenCA licensed software > > Apr 18 10:31:30 2019 GMT [9346] GENERAL: OpenCA OCSPD v3.1.2 (Thu Apr 18 10:21:33 UTC 2019)- starting. > Apr 18 10:31:30 2019 GMT [9346] INFO: [token.c:2574] [DEBUG] ERROR, can not load directory /home/orcladmin/.libpki/profile.d! > Apr 18 10:31:30 2019 GMT [9346] INFO: [token.c:831] [DEBUG] Can not load profiles (/home/orcladmin/.libpki/profile.d) > > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:866] [DEBUG] Skipping file .. > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:866] [DEBUG] Skipping file . > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:876] [DEBUG] Loading file /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/collegeca.xml > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:892] [DEBUG] Loaded /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/collegeca.xml file > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:876] [DEBUG] Loading file /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/self-certs.xml > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:892] [DEBUG] Loaded /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/self-certs.xml file > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/security/chrootDir, Position: -1] > Apr 18 10:31:30 2019 GMT [9346] INFO: [config.c:277] [DEBUG] Selected response digest algorithm: SHA1 > Apr 18 10:31:30 2019 GMT [9346] INFO: [config.c:298] [DEBUG] Selected signature digest algorithm: SHA256 > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbUrl, Position: -1] > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbPersistant, Position: -1] > Apr 18 10:31:30 2019 GMT [9346] INFO: [config.c:394] [DEBUG] Building CA List > Apr 18 10:31:30 2019 GMT [9346] GENERAL: Processing Configuration for [CA: Dartmouth] > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1] > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_socket.c:105] [DEBUG] Creating a SECURE connection (SSL/TLS) > Apr 18 10:32:33 2019 GMT [9346] ERROR: Socket Connect failed (Unknown host)! > Apr 18 10:32:33 2019 GMT [9346] ERROR: Socket _Connect failed (Unknown host) > Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_socket.c:156] [ERROR] Can not create network connection to collegeca.dartmouth.edu:443 > Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL [] > Apr 18 10:32:33 2019 GMT [9346] ERROR: [config.c:475] [ERROR] Can not get CA cert [CA: https://collegeca.dartmouth.edu/certs/DartmouthCA.cer, URL: Dartmouth] > Apr 18 10:32:33 2019 GMT [9346] GENERAL: Processing Configuration for [CA: MySelf] > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1] > Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL [▒ T] > Apr 18 10:32:33 2019 GMT [9346] ERROR: [config.c:475] [ERROR] Can not get CA cert [CA: etc/ocspd/certs/cacert.pem, URL: MySelf] > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:784] [DEBUG] GOT SEARCH PATHS => 1 > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:797] [DEBUG] SEARCHING FOR ocspServerToken in dir /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:692] [DEBUG] Processing file [..] > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:696] [DEBUG] Skipping .. > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:692] [DEBUG] Processing file [eracom.xml] > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:710] [DEBUG] Opening File /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d/eracom.xml > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:722] [DEBUG] Getting Name Param... > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:728] [DEBUG] Got Name::Eracom > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:692] [DEBUG] Processing file [software.xml] > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:710] [DEBUG] Opening File /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d/software.xml > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:722] [DEBUG] Getting Name Param... > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:728] [DEBUG] Got Name::ocspServerToken > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:736] [DEBUG] File successfully loaded /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d/software.xml > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:801] [DEBUG] FOUND => ocspServerToken [/apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d] > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /tokenConfig/password, Position: -1] > Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL [ ▒R] > Apr 18 10:32:33 2019 GMT [9346] ERROR: [token.c:692] Can not load Token certificate > Apr 18 10:32:33 2019 GMT [9346] ERROR: [token.c:839] Can not load Token's Profile => ocspServerToken > Apr 18 10:32:33 2019 GMT [9346] ERROR: [core.c:42] [ERROR] Can not load default token (/apps/oracle/ocspd-bugfixes/etc/ocspd/ocspd.xml/ocspServerToken) > Apr 18 10:32:33 2019 GMT [9346] NOTICE: Exiting, Glad to serve you, Master! > [orcladmin@ip-192-168-0-95 sbin]$ > > > > When I ran the test.sh: > [orcladmin@ip-192-168-0-95 bin]$ ./test.sh > > OCSP Test Script > (c) 2006 by Massimiliano Pala and OpenCA Team > > Test 78 requests (serial 123): > [111111111111111111111111111111111111111111111111111111111111111111111111111111 > real 0m0.255s > user 0m0.149s > sys 0m0.035s > ] > > > Does that look all right? I mean is the ocspd-bugfixes look like it is working? > > > > > Jim > _______________________________________________ Openca-ocspd mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openca-ocspd _______________________________________________ Openca-ocspd mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openca-ocspd |
From: o h. <oh...@ya...> - 2019-04-19 10:55:35
|
Hi, There is a small script named "test.sh" in the ocspd sbin directory, and when it is run, I get: OCSP Test Script (c) 2006 by Massimiliano Pala and OpenCA Team Test 78 requests (serial 123): [111111111111111111111111111111111111111111111111111111111111111111111111111111 real 0m0.250s user 0m0.161s sys 0m0.045s ] I had assumed that that script was running a test against the actual ocspd, but then I noticed that even when I run it while the ocspd is not running, I get exactly the same output. So I was looking at the script: #!/bin/bash echo echo "OCSP Test Script" echo "(c) 2006 by Massimiliano Pala and OpenCA Team" echo # if [ $# -lt 3 ] ; then # echo "Usage: $0 <CAfile> <Issuer_Cert> <URL>" # echo # echo " example: $0 ca-bundle.pem cacert.pem http://localhost:2560/" # echo # exit 0 # fi cabundle=data/europki_root_ca_cert.pem cacert=data/europki_root_ca_cert.pem url=http://localhost:2560/ if [ "0$1" -gt 0 ] ; then nreq=$1; else nreq=78; fi for ser in 123 ; do echo "Test $nreq requests (serial $ser):" echo -n "[" time { for((i=0;i<$nreq;i++)); do openssl ocsp -CAfile $cabundle \ -url $url \ -issuer $cacert \ -serial $ser 2>/dev/null >/dev/null # -cert test/ocspd_cert.pem 2>/dev/null >/dev/null if [ $? = 0 ] ; then echo -n . else echo -n $? fi done } echo "]" echo done exit And from that, it looks like it is running this command: openssl ocsp -CAfile data/europki_root_ca_cert.pem -issuer data/europki_root_ca_cert.pem -url http://localhost:2560/ -serial 123 but there is no "data/europki_root_ca_cert.pem" file and also nothing is listening on port 2560, so with all of the above, I am not sure what the test.sh is actually doing and how does it even work? Thanks,Jim |
From: o h. <oh...@ya...> - 2019-04-19 10:07:00
|
Hi, I think that I posted about this earlier, and that I was able to get ocspd running on a RHEL 6.10 instance, by building libpki and ocspd on a RHEL 7.6 system, and then copying of the libpki folder and the ocspd folder from the RHEL 7.6 system to the target RHEL 6.10 instance and then building "parallel" GLIBC 2.14 on the RHEL 6.10 system and adding that parallel GLIBC 2.14 to the LD_LIBRARY_PATH. And that ocspd on RHEL 6.10 then seemed to be able to run, including our normal CRL files, etc. in the configuration. That seems to suggest that it is at least possible to get the ocspd to run on RHEL 6.10? Jim On Thursday, April 18, 2019, 11:24:53 PM UTC, o haya via Openca-ocspd <ope...@li...> wrote: Hi, Do you have any idea about what is causing the segfault? It seems like the only CRL it works with now is the collegeca one (at least for me). What is it about the collegeca one that allows it to work? Thanks,Jim On Thursday, April 18, 2019, 4:15:55 PM UTC, o haya <oh...@ya...> wrote: [Added the mailing list back into the email... Sorry] On Thursday, April 18, 2019, 3:04:24 PM UTC, o haya <oh...@ya...> wrote: I ran the ocspd pointing to our configuration and it looks like this is where it is blowing up: ./ocspd -c /apps/oracle/ocspd/etc/ocspd/ocspd.xml -debug -stdout ... Apr 18 14:57:37 2019 GMT [10335] INFO: [config.c:394] [DEBUG] Building CA List Apr 18 14:57:37 2019 GMT [10335] GENERAL: Processing Configuration for [CA: EntrustCA.crl] Apr 18 14:57:37 2019 GMT [10335] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1] Apr 18 14:57:37 2019 GMT [10335] INFO: [config.c:623] [DEBUG] CRL Downloading Process Started [CA: EntrustCA.crl, URL: file:///apps/oracle/crl/golden/EntrustCA.crl] Apr 18 14:57:37 2019 GMT [10335] INFO: [config.c:837] [DEBUG] CRL loaded successfully [URL: file:///apps/oracle/crl/golden/EntrustCA.crl] Apr 18 14:57:37 2019 GMT [10335] INFO: [crl.c:213] [DEBUG] Got the public key from the CA cert [Scheme: RSA, Key Size: 2048] Segmentation fault (core dumped) On Thursday, April 18, 2019, 2:49:28 PM UTC, o haya <oh...@ya...> wrote: Hi, Oh oh... I got the following when I ran ocspd using our normal config files, etc.: [root@ip-192-168-0-95 init.d]# ./ocspd-bugfixes start Starting OCSP Responder: ./ocspd-bugfixes: line 39: 10259 Segmentation fault (core dumped) ${ocspd} -c "${conf}" -d Error, check logs! Where do I look for the logs that it is mentioning? Jim On Thursday, April 18, 2019, 10:59:51 AM UTC, Martin Hecht <he...@hl...> wrote: Hi Jim, looks good so far. You still have the example files in the config (the College ca, Darmouth and example Token configurations, and as far as I can see you have not configured your own CRL location, ca cert etc.). At least in my environment it did not work to the point where it sais "NOTICE: Exiting, Glad to serve you, Master!" in debug mode. It has crashed earlier, but maybe it's something with loading the certificate or the crl from file. But maybe you don't run into that problem (e.g. because your ca uses different algorithms). Martin On 4/18/19 12:36 PM, o haya wrote: > Hi Martin, > I applied the patch file to general.h, and I was able to do the make and make install (FYI, I built the libpki and ocspd into /apps/oracle/libpki-bugfixes and /apps/oracle/ocspd-bugfixes, respectively). > > Then, I did a test on RHEL 6.10, and I *think* it worked??? > > Here's the "-debug -stdout" output: > [orcladmin@ip-192-168-0-95 sbin]$ $ocspd -c $conf -debug -stdout > > OpenCA's OCSP Responder - v3.1.2 (Build: Thu Apr 18 10:21:33 UTC 2019) > (c) 2002-2018 by Massimiliano Pala and OpenCA Project > OpenCA licensed software > > Apr 18 10:31:30 2019 GMT [9346] GENERAL: OpenCA OCSPD v3.1.2 (Thu Apr 18 10:21:33 UTC 2019)- starting. > Apr 18 10:31:30 2019 GMT [9346] INFO: [token.c:2574] [DEBUG] ERROR, can not load directory /home/orcladmin/.libpki/profile.d! > Apr 18 10:31:30 2019 GMT [9346] INFO: [token.c:831] [DEBUG] Can not load profiles (/home/orcladmin/.libpki/profile.d) > > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:866] [DEBUG] Skipping file .. > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:866] [DEBUG] Skipping file . > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:876] [DEBUG] Loading file /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/collegeca.xml > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:892] [DEBUG] Loaded /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/collegeca.xml file > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:876] [DEBUG] Loading file /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/self-certs.xml > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:892] [DEBUG] Loaded /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/self-certs.xml file > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/security/chrootDir, Position: -1] > Apr 18 10:31:30 2019 GMT [9346] INFO: [config.c:277] [DEBUG] Selected response digest algorithm: SHA1 > Apr 18 10:31:30 2019 GMT [9346] INFO: [config.c:298] [DEBUG] Selected signature digest algorithm: SHA256 > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbUrl, Position: -1] > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbPersistant, Position: -1] > Apr 18 10:31:30 2019 GMT [9346] INFO: [config.c:394] [DEBUG] Building CA List > Apr 18 10:31:30 2019 GMT [9346] GENERAL: Processing Configuration for [CA: Dartmouth] > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1] > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_socket.c:105] [DEBUG] Creating a SECURE connection (SSL/TLS) > Apr 18 10:32:33 2019 GMT [9346] ERROR: Socket Connect failed (Unknown host)! > Apr 18 10:32:33 2019 GMT [9346] ERROR: Socket _Connect failed (Unknown host) > Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_socket.c:156] [ERROR] Can not create network connection to collegeca.dartmouth.edu:443 > Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL [] > Apr 18 10:32:33 2019 GMT [9346] ERROR: [config.c:475] [ERROR] Can not get CA cert [CA: https://collegeca.dartmouth.edu/certs/DartmouthCA.cer, URL: Dartmouth] > Apr 18 10:32:33 2019 GMT [9346] GENERAL: Processing Configuration for [CA: MySelf] > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1] > Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL [▒ T] > Apr 18 10:32:33 2019 GMT [9346] ERROR: [config.c:475] [ERROR] Can not get CA cert [CA: etc/ocspd/certs/cacert.pem, URL: MySelf] > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:784] [DEBUG] GOT SEARCH PATHS => 1 > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:797] [DEBUG] SEARCHING FOR ocspServerToken in dir /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:692] [DEBUG] Processing file [..] > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:696] [DEBUG] Skipping .. > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:692] [DEBUG] Processing file [eracom.xml] > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:710] [DEBUG] Opening File /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d/eracom.xml > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:722] [DEBUG] Getting Name Param... > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:728] [DEBUG] Got Name::Eracom > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:692] [DEBUG] Processing file [software.xml] > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:710] [DEBUG] Opening File /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d/software.xml > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:722] [DEBUG] Getting Name Param... > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:728] [DEBUG] Got Name::ocspServerToken > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:736] [DEBUG] File successfully loaded /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d/software.xml > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:801] [DEBUG] FOUND => ocspServerToken [/apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d] > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /tokenConfig/password, Position: -1] > Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL [ ▒R] > Apr 18 10:32:33 2019 GMT [9346] ERROR: [token.c:692] Can not load Token certificate > Apr 18 10:32:33 2019 GMT [9346] ERROR: [token.c:839] Can not load Token's Profile => ocspServerToken > Apr 18 10:32:33 2019 GMT [9346] ERROR: [core.c:42] [ERROR] Can not load default token (/apps/oracle/ocspd-bugfixes/etc/ocspd/ocspd.xml/ocspServerToken) > Apr 18 10:32:33 2019 GMT [9346] NOTICE: Exiting, Glad to serve you, Master! > [orcladmin@ip-192-168-0-95 sbin]$ > > > > When I ran the test.sh: > [orcladmin@ip-192-168-0-95 bin]$ ./test.sh > > OCSP Test Script > (c) 2006 by Massimiliano Pala and OpenCA Team > > Test 78 requests (serial 123): > [111111111111111111111111111111111111111111111111111111111111111111111111111111 > real 0m0.255s > user 0m0.149s > sys 0m0.035s > ] > > > Does that look all right? I mean is the ocspd-bugfixes look like it is working? > > > > > Jim > _______________________________________________ Openca-ocspd mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openca-ocspd |
From: o h. <oh...@ya...> - 2019-04-18 23:24:40
|
Hi, Do you have any idea about what is causing the segfault? It seems like the only CRL it works with now is the collegeca one (at least for me). What is it about the collegeca one that allows it to work? Thanks,Jim On Thursday, April 18, 2019, 4:15:55 PM UTC, o haya <oh...@ya...> wrote: [Added the mailing list back into the email... Sorry] On Thursday, April 18, 2019, 3:04:24 PM UTC, o haya <oh...@ya...> wrote: I ran the ocspd pointing to our configuration and it looks like this is where it is blowing up: ./ocspd -c /apps/oracle/ocspd/etc/ocspd/ocspd.xml -debug -stdout ... Apr 18 14:57:37 2019 GMT [10335] INFO: [config.c:394] [DEBUG] Building CA List Apr 18 14:57:37 2019 GMT [10335] GENERAL: Processing Configuration for [CA: EntrustCA.crl] Apr 18 14:57:37 2019 GMT [10335] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1] Apr 18 14:57:37 2019 GMT [10335] INFO: [config.c:623] [DEBUG] CRL Downloading Process Started [CA: EntrustCA.crl, URL: file:///apps/oracle/crl/golden/EntrustCA.crl] Apr 18 14:57:37 2019 GMT [10335] INFO: [config.c:837] [DEBUG] CRL loaded successfully [URL: file:///apps/oracle/crl/golden/EntrustCA.crl] Apr 18 14:57:37 2019 GMT [10335] INFO: [crl.c:213] [DEBUG] Got the public key from the CA cert [Scheme: RSA, Key Size: 2048] Segmentation fault (core dumped) On Thursday, April 18, 2019, 2:49:28 PM UTC, o haya <oh...@ya...> wrote: Hi, Oh oh... I got the following when I ran ocspd using our normal config files, etc.: [root@ip-192-168-0-95 init.d]# ./ocspd-bugfixes start Starting OCSP Responder: ./ocspd-bugfixes: line 39: 10259 Segmentation fault (core dumped) ${ocspd} -c "${conf}" -d Error, check logs! Where do I look for the logs that it is mentioning? Jim On Thursday, April 18, 2019, 10:59:51 AM UTC, Martin Hecht <he...@hl...> wrote: Hi Jim, looks good so far. You still have the example files in the config (the College ca, Darmouth and example Token configurations, and as far as I can see you have not configured your own CRL location, ca cert etc.). At least in my environment it did not work to the point where it sais "NOTICE: Exiting, Glad to serve you, Master!" in debug mode. It has crashed earlier, but maybe it's something with loading the certificate or the crl from file. But maybe you don't run into that problem (e.g. because your ca uses different algorithms). Martin On 4/18/19 12:36 PM, o haya wrote: > Hi Martin, > I applied the patch file to general.h, and I was able to do the make and make install (FYI, I built the libpki and ocspd into /apps/oracle/libpki-bugfixes and /apps/oracle/ocspd-bugfixes, respectively). > > Then, I did a test on RHEL 6.10, and I *think* it worked??? > > Here's the "-debug -stdout" output: > [orcladmin@ip-192-168-0-95 sbin]$ $ocspd -c $conf -debug -stdout > > OpenCA's OCSP Responder - v3.1.2 (Build: Thu Apr 18 10:21:33 UTC 2019) > (c) 2002-2018 by Massimiliano Pala and OpenCA Project > OpenCA licensed software > > Apr 18 10:31:30 2019 GMT [9346] GENERAL: OpenCA OCSPD v3.1.2 (Thu Apr 18 10:21:33 UTC 2019)- starting. > Apr 18 10:31:30 2019 GMT [9346] INFO: [token.c:2574] [DEBUG] ERROR, can not load directory /home/orcladmin/.libpki/profile.d! > Apr 18 10:31:30 2019 GMT [9346] INFO: [token.c:831] [DEBUG] Can not load profiles (/home/orcladmin/.libpki/profile.d) > > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:866] [DEBUG] Skipping file .. > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:866] [DEBUG] Skipping file . > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:876] [DEBUG] Loading file /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/collegeca.xml > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:892] [DEBUG] Loaded /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/collegeca.xml file > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:876] [DEBUG] Loading file /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/self-certs.xml > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:892] [DEBUG] Loaded /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/self-certs.xml file > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/security/chrootDir, Position: -1] > Apr 18 10:31:30 2019 GMT [9346] INFO: [config.c:277] [DEBUG] Selected response digest algorithm: SHA1 > Apr 18 10:31:30 2019 GMT [9346] INFO: [config.c:298] [DEBUG] Selected signature digest algorithm: SHA256 > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbUrl, Position: -1] > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbPersistant, Position: -1] > Apr 18 10:31:30 2019 GMT [9346] INFO: [config.c:394] [DEBUG] Building CA List > Apr 18 10:31:30 2019 GMT [9346] GENERAL: Processing Configuration for [CA: Dartmouth] > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1] > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_socket.c:105] [DEBUG] Creating a SECURE connection (SSL/TLS) > Apr 18 10:32:33 2019 GMT [9346] ERROR: Socket Connect failed (Unknown host)! > Apr 18 10:32:33 2019 GMT [9346] ERROR: Socket _Connect failed (Unknown host) > Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_socket.c:156] [ERROR] Can not create network connection to collegeca.dartmouth.edu:443 > Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL [] > Apr 18 10:32:33 2019 GMT [9346] ERROR: [config.c:475] [ERROR] Can not get CA cert [CA: https://collegeca.dartmouth.edu/certs/DartmouthCA.cer, URL: Dartmouth] > Apr 18 10:32:33 2019 GMT [9346] GENERAL: Processing Configuration for [CA: MySelf] > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1] > Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL [▒ T] > Apr 18 10:32:33 2019 GMT [9346] ERROR: [config.c:475] [ERROR] Can not get CA cert [CA: etc/ocspd/certs/cacert.pem, URL: MySelf] > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:784] [DEBUG] GOT SEARCH PATHS => 1 > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:797] [DEBUG] SEARCHING FOR ocspServerToken in dir /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:692] [DEBUG] Processing file [..] > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:696] [DEBUG] Skipping .. > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:692] [DEBUG] Processing file [eracom.xml] > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:710] [DEBUG] Opening File /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d/eracom.xml > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:722] [DEBUG] Getting Name Param... > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:728] [DEBUG] Got Name::Eracom > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:692] [DEBUG] Processing file [software.xml] > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:710] [DEBUG] Opening File /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d/software.xml > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:722] [DEBUG] Getting Name Param... > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:728] [DEBUG] Got Name::ocspServerToken > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:736] [DEBUG] File successfully loaded /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d/software.xml > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:801] [DEBUG] FOUND => ocspServerToken [/apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d] > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /tokenConfig/password, Position: -1] > Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL [ ▒R] > Apr 18 10:32:33 2019 GMT [9346] ERROR: [token.c:692] Can not load Token certificate > Apr 18 10:32:33 2019 GMT [9346] ERROR: [token.c:839] Can not load Token's Profile => ocspServerToken > Apr 18 10:32:33 2019 GMT [9346] ERROR: [core.c:42] [ERROR] Can not load default token (/apps/oracle/ocspd-bugfixes/etc/ocspd/ocspd.xml/ocspServerToken) > Apr 18 10:32:33 2019 GMT [9346] NOTICE: Exiting, Glad to serve you, Master! > [orcladmin@ip-192-168-0-95 sbin]$ > > > > When I ran the test.sh: > [orcladmin@ip-192-168-0-95 bin]$ ./test.sh > > OCSP Test Script > (c) 2006 by Massimiliano Pala and OpenCA Team > > Test 78 requests (serial 123): > [111111111111111111111111111111111111111111111111111111111111111111111111111111 > real 0m0.255s > user 0m0.149s > sys 0m0.035s > ] > > > Does that look all right? I mean is the ocspd-bugfixes look like it is working? > > > > > Jim > |
From: o h. <oh...@ya...> - 2019-04-18 16:16:13
|
[Added the mailing list back into the email... Sorry] On Thursday, April 18, 2019, 3:04:24 PM UTC, o haya <oh...@ya...> wrote: I ran the ocspd pointing to our configuration and it looks like this is where it is blowing up: ./ocspd -c /apps/oracle/ocspd/etc/ocspd/ocspd.xml -debug -stdout ... Apr 18 14:57:37 2019 GMT [10335] INFO: [config.c:394] [DEBUG] Building CA List Apr 18 14:57:37 2019 GMT [10335] GENERAL: Processing Configuration for [CA: EntrustCA.crl] Apr 18 14:57:37 2019 GMT [10335] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1] Apr 18 14:57:37 2019 GMT [10335] INFO: [config.c:623] [DEBUG] CRL Downloading Process Started [CA: EntrustCA.crl, URL: file:///apps/oracle/crl/golden/EntrustCA.crl] Apr 18 14:57:37 2019 GMT [10335] INFO: [config.c:837] [DEBUG] CRL loaded successfully [URL: file:///apps/oracle/crl/golden/EntrustCA.crl] Apr 18 14:57:37 2019 GMT [10335] INFO: [crl.c:213] [DEBUG] Got the public key from the CA cert [Scheme: RSA, Key Size: 2048] Segmentation fault (core dumped) On Thursday, April 18, 2019, 2:49:28 PM UTC, o haya <oh...@ya...> wrote: Hi, Oh oh... I got the following when I ran ocspd using our normal config files, etc.: [root@ip-192-168-0-95 init.d]# ./ocspd-bugfixes start Starting OCSP Responder: ./ocspd-bugfixes: line 39: 10259 Segmentation fault (core dumped) ${ocspd} -c "${conf}" -d Error, check logs! Where do I look for the logs that it is mentioning? Jim On Thursday, April 18, 2019, 10:59:51 AM UTC, Martin Hecht <he...@hl...> wrote: Hi Jim, looks good so far. You still have the example files in the config (the College ca, Darmouth and example Token configurations, and as far as I can see you have not configured your own CRL location, ca cert etc.). At least in my environment it did not work to the point where it sais "NOTICE: Exiting, Glad to serve you, Master!" in debug mode. It has crashed earlier, but maybe it's something with loading the certificate or the crl from file. But maybe you don't run into that problem (e.g. because your ca uses different algorithms). Martin On 4/18/19 12:36 PM, o haya wrote: > Hi Martin, > I applied the patch file to general.h, and I was able to do the make and make install (FYI, I built the libpki and ocspd into /apps/oracle/libpki-bugfixes and /apps/oracle/ocspd-bugfixes, respectively). > > Then, I did a test on RHEL 6.10, and I *think* it worked??? > > Here's the "-debug -stdout" output: > [orcladmin@ip-192-168-0-95 sbin]$ $ocspd -c $conf -debug -stdout > > OpenCA's OCSP Responder - v3.1.2 (Build: Thu Apr 18 10:21:33 UTC 2019) > (c) 2002-2018 by Massimiliano Pala and OpenCA Project > OpenCA licensed software > > Apr 18 10:31:30 2019 GMT [9346] GENERAL: OpenCA OCSPD v3.1.2 (Thu Apr 18 10:21:33 UTC 2019)- starting. > Apr 18 10:31:30 2019 GMT [9346] INFO: [token.c:2574] [DEBUG] ERROR, can not load directory /home/orcladmin/.libpki/profile.d! > Apr 18 10:31:30 2019 GMT [9346] INFO: [token.c:831] [DEBUG] Can not load profiles (/home/orcladmin/.libpki/profile.d) > > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:866] [DEBUG] Skipping file .. > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:866] [DEBUG] Skipping file . > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:876] [DEBUG] Loading file /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/collegeca.xml > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:892] [DEBUG] Loaded /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/collegeca.xml file > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:876] [DEBUG] Loading file /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/self-certs.xml > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:892] [DEBUG] Loaded /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/self-certs.xml file > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/security/chrootDir, Position: -1] > Apr 18 10:31:30 2019 GMT [9346] INFO: [config.c:277] [DEBUG] Selected response digest algorithm: SHA1 > Apr 18 10:31:30 2019 GMT [9346] INFO: [config.c:298] [DEBUG] Selected signature digest algorithm: SHA256 > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbUrl, Position: -1] > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbPersistant, Position: -1] > Apr 18 10:31:30 2019 GMT [9346] INFO: [config.c:394] [DEBUG] Building CA List > Apr 18 10:31:30 2019 GMT [9346] GENERAL: Processing Configuration for [CA: Dartmouth] > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1] > Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_socket.c:105] [DEBUG] Creating a SECURE connection (SSL/TLS) > Apr 18 10:32:33 2019 GMT [9346] ERROR: Socket Connect failed (Unknown host)! > Apr 18 10:32:33 2019 GMT [9346] ERROR: Socket _Connect failed (Unknown host) > Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_socket.c:156] [ERROR] Can not create network connection to collegeca.dartmouth.edu:443 > Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL [] > Apr 18 10:32:33 2019 GMT [9346] ERROR: [config.c:475] [ERROR] Can not get CA cert [CA: https://collegeca.dartmouth.edu/certs/DartmouthCA.cer, URL: Dartmouth] > Apr 18 10:32:33 2019 GMT [9346] GENERAL: Processing Configuration for [CA: MySelf] > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1] > Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL [▒ T] > Apr 18 10:32:33 2019 GMT [9346] ERROR: [config.c:475] [ERROR] Can not get CA cert [CA: etc/ocspd/certs/cacert.pem, URL: MySelf] > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:784] [DEBUG] GOT SEARCH PATHS => 1 > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:797] [DEBUG] SEARCHING FOR ocspServerToken in dir /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:692] [DEBUG] Processing file [..] > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:696] [DEBUG] Skipping .. > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:692] [DEBUG] Processing file [eracom.xml] > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:710] [DEBUG] Opening File /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d/eracom.xml > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:722] [DEBUG] Getting Name Param... > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:728] [DEBUG] Got Name::Eracom > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:692] [DEBUG] Processing file [software.xml] > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:710] [DEBUG] Opening File /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d/software.xml > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:722] [DEBUG] Getting Name Param... > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:728] [DEBUG] Got Name::ocspServerToken > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:736] [DEBUG] File successfully loaded /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d/software.xml > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:801] [DEBUG] FOUND => ocspServerToken [/apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d] > Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /tokenConfig/password, Position: -1] > Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL [ ▒R] > Apr 18 10:32:33 2019 GMT [9346] ERROR: [token.c:692] Can not load Token certificate > Apr 18 10:32:33 2019 GMT [9346] ERROR: [token.c:839] Can not load Token's Profile => ocspServerToken > Apr 18 10:32:33 2019 GMT [9346] ERROR: [core.c:42] [ERROR] Can not load default token (/apps/oracle/ocspd-bugfixes/etc/ocspd/ocspd.xml/ocspServerToken) > Apr 18 10:32:33 2019 GMT [9346] NOTICE: Exiting, Glad to serve you, Master! > [orcladmin@ip-192-168-0-95 sbin]$ > > > > When I ran the test.sh: > [orcladmin@ip-192-168-0-95 bin]$ ./test.sh > > OCSP Test Script > (c) 2006 by Massimiliano Pala and OpenCA Team > > Test 78 requests (serial 123): > [111111111111111111111111111111111111111111111111111111111111111111111111111111 > real 0m0.255s > user 0m0.149s > sys 0m0.035s > ] > > > Does that look all right? I mean is the ocspd-bugfixes look like it is working? > > > > > Jim > |
From: o h. <oh...@ya...> - 2019-04-15 15:30:12
|
Hi Martin, I was able to build the libpki using the source from the bugfixes branch. However, I ran into a problem when I tried to do the 'make' for the ocspd. [orcladmin@ip-192-168-0-95 openca-ocspd-3.1.2]$ make Making all in src make[1]: Entering directory `/apps/STAGING/BUGFIXES-TEST-BUILD-ON-RHEL-6.10/openca-ocspd-3.1.2/src' Making all in ocspd make[2]: Entering directory `/apps/STAGING/BUGFIXES-TEST-BUILD-ON-RHEL-6.10/openca-ocspd-3.1.2/src/ocspd' gcc -DHAVE_CONFIG_H -I. -I../../src/ocspd/includes -I. -I/usr/include/libxml2 -g -O2 -fstack-check -maccumulate-outgoing-args -Werror -Wfatal-errors -MT ocspd-ocspd.o -MD -MP -MF .deps/ocspd-ocspd.Tpo -c -o ocspd-ocspd.o `test -f 'ocspd.c' || echo './'`ocspd.c In file included from ../../src/ocspd/includes/general.h:313, from ocspd.c:9: ../../src/ocspd/includes/cache.h:52: error: redefinition of typedef ‘OCSPD_CACHE’ compilation terminated due to -Wfatal-errors. make[2]: *** [ocspd-ocspd.o] Error 1 make[2]: Leaving directory `/apps/STAGING/BUGFIXES-TEST-BUILD-ON-RHEL-6.10/openca-ocspd-3.1.2/src/ocspd' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/apps/STAGING/BUGFIXES-TEST-BUILD-ON-RHEL-6.10/openca-ocspd-3.1.2/src' make: *** [all-recursive] Error 1 NOTE, I was doing both the libpki and ocspd builds in a directory"/apps/STAGING/BUGFIXES-TEST-BUILD-ON-RHEL-6.10/". For the libpki, I used "./configure --prefix=/apps/oracle/libpki-bugfixes". Then, for ocspd, I used: "./configure --prefix=/apps/oracle/ocspd-bugfixes --with-libpki-prefix=/apps/oracle/libpki-bugfixes". Then, I did: export CPATH=/apps/oracle/libpki-bugfixes/include export LD_LIBRARY_PATH=/apps/oracle/libpki-bugfixes/lib64 make and then I got the above error(s). Jim On Monday, April 15, 2019, 2:49:19 PM UTC, o haya via Openca-ocspd <ope...@li...> wrote: Hi Martin, Ok, I will try that (build from the bugfixes branch download) on RHEL 6.10 and let you know (either way). Jim On Monday, April 15, 2019, 8:22:44 AM UTC, Martin Hecht <he...@hl...> wrote: Jim, you can also try out the bugfixes branch of my fork of libpki at github: https://github.com/mrbaseman/libpki/tree/bugfixes if you encounter any further difficulties with that branch, please let me know, so I can push commits with the fixes directly to the pull request that I have opened in the official repo. Martin _______________________________________________ Openca-ocspd mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openca-ocspd _______________________________________________ Openca-ocspd mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openca-ocspd |
From: o h. <oh...@ya...> - 2019-04-15 14:49:08
|
Hi Martin, Ok, I will try that (build from the bugfixes branch download) on RHEL 6.10 and let you know (either way). Jim On Monday, April 15, 2019, 8:22:44 AM UTC, Martin Hecht <he...@hl...> wrote: Jim, you can also try out the bugfixes branch of my fork of libpki at github: https://github.com/mrbaseman/libpki/tree/bugfixes if you encounter any further difficulties with that branch, please let me know, so I can push commits with the fixes directly to the pull request that I have opened in the official repo. Martin _______________________________________________ Openca-ocspd mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openca-ocspd |