openca-ocspd — Discussions about OCSP Responder

[Openca-ocspd] Not being able to build the library

[Romina R. <rom...@mz...>]

Hi, I hope this message finds you well.

I have a problem regarding starting the use of the tool and libpki. downloading the latest release version, I could not run ./configure. However, I downgraded to another version and now I can configure. But using make I have these errors that I cannot fix. can you please help me with them?

/usr/bin/ld: pki_tool-pki-tool.o: undefined reference to symbol 'EVP_sha256@@OPENSSL_3.0.0'
/usr/bin/ld: /lib/x86_64-linux-gnu/libcrypto.so.3: error adding symbols: DSO missing from command line
collect2: error: ld returned 1 exit status
make[2]: *** [Makefile:670: pki-tool] Error 1
make[2]: Leaving directory '/etc/libpki/src/tools'
make[1]: *** [Makefile:964: all-recursive] Error 1
make[1]: Leaving directory '/etc/libpki/src'
make: *** [Makefile:674: all-recursive] Error 1

Kind regards,
Romina

[Openca-ocspd] Segmentation fault from ocspd-genreq.sh

[藤本 康 <yas...@ip...>]

Hi, All.

I have a trouble to run ocspd-genreq.sh after I installed openca-ocspd using openca-ocspd-3.1.2.tar.gz.
If some one give me a point where I have to check, it will help


While I am trying to setup RA on the RHEL 8.9, I have download openca-ocspd-3.1.2.tar.gz, configured it and ran
/opt/ocspd/bin/ocspd-genreq.sh.

I got the following message


[root@ttca01 openca-ocspd-3.1.2]# time /opt/ocspd/bin/ocspd-genreq.sh



OCSP Key and Certificate Request generation Tool

(c) 2009 by Massimiliano Pala and OpenCA Labs

    All Rights Reserved



Please Enter the Server's Subject (eg., CN=OCSP Server, O=OpenCA, C=US):

XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Please Enter the Algorithm (default: RSA-SHA256):



Please Enter the Key Size (default: 2048):





Parameters Summary:

- prefix ................: /opt/ocspd

- token Name ............: ocspServerToken

- subject ...............:XXXXXXXXXXXXXXXXXXXXXXXXXXXX

- algorithm .............: RSA-SHA256

- key size ..............: 2048 bits



This tool uses the pki-tool from libpki. The configuration of the

token can be found in '/opt/ocspd/etc/ocspd/pki/token.d'



[ Use a password when prompted if you want the server key to be encrypted ]



/opt/ocspd/bin/ocspd-genreq.sh: line 61: 3130768 Segmentation fault      (core dumped) pki-tool genreq -config "$prefix/etc/ocspd/pki" -outkey "$prefix/etc/ocspd/private/key.pem" -newkey -bits $bits -subject "$subject" -algor "$algor" -out "$prefix/etc/ocspd/req.pem" -batch

ERROR, can not complete task. Please check write permissions for target(s)

[most probably you need administrator privileges to continue].





real    2m34.598s

user    0m0.074s

sys     0m0.005s

[root@ttca01 openca-ocspd-3.1.2]#


“libpki” had been downloaded from https://sourceforge.net/projects/openca/files/libpki/releases/v0.9.0/sources/libpki-0.9.0.tar.gz/download

I have run pki-tool command only. The result seems to be same.

[root@ttra01 libpki-0.9.0]# pki-tool genreq -config /opt/ocspd/etc/ocspd/pki -outkey /opt/ocspd/etc/ocspd/private/key.pem -newkey -bits 2048 -subject 'xxxxxxxxxxxxxxxxx' -algor RSA-SHA256 -out /opt/ocspd/etc/ocspd/req.pem -batch

Segmentation fault (core dumped)

[root@ttra01 libpki-0.9.0]#




I have tried gdb expecting I get any more info, but I don’t know what I have to do with this.



[root@ttra01 libpki-0.9.0]# gdb pki-tool

GNU gdb (GDB) Red Hat Enterprise Linux 8.2-20.el8

Copyright (C) 2018 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Type "show copying" and "show warranty" for details.

This GDB was configured as "x86_64-redhat-linux-gnu".

Type "show configuration" for configuration details.

For bug reporting instructions, please see:

http://www.gnu.org/software/gdb/bugs/.

Find the GDB manual and other documentation resources online at:

    http://www.gnu.org/software/gdb/documentation/.



For help, type "help".

Type "apropos word" to search for commands related to "word"...

Reading symbols from pki-tool...done.

(gdb) run genreq -config /opt/ocspd/etc/ocspd/pki -outkey /opt/ocspd/etc/ocspd/private/key.pem -newkey -bits 2048 -subject 'xxxxxxxxxxxxxx"' -algor RSA-SHA256 -out /opt/ocspd/etc/ocspd/req.pem -batch

Starting program: /usr/bin/pki-tool genreq -config /opt/ocspd/etc/ocspd/pki -outkey /opt/ocspd/etc/ocspd/private/key.pem -newkey -bits 2048 -subject 'xxxxxxxxxxxxxxx"' -algor RSA-SHA256 -out /opt/ocspd/etc/ocspd/req.pem -batch

[Thread debugging using libthread_db enabled]

Using host libthread_db library "/lib64/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

0x00007ffff6f53178 in x509_name_ex_i2d () from /usr/lib64/libcrypto.so.1.1

Missing separate debuginfos, use: yum debuginfo-install cyrus-sasl-lib-2.1.27-6.el8_5.x86_64 glibc-2.28-236.el8.7.x86_64 keyutils-libs-1.5.10-9.el8.x86_64 krb5-libs-1.18.2-25.el8_8.x86_64 libcom_err-1.45.6-5.el8.x86_64 libselinux-2.9-8.el8.x86_64 libxcrypt-4.1.1-6.el8.x86_64 libxml2-2.9.7-16.el8_8.1.x86_64 openldap-2.4.46-18.el8.x86_64 openssl-libs-1.1.1k-9.el8_7.x86_64 pcre2-10.32-3.el8_6.x86_64 xz-libs-5.2.4-4.el8_6.x86_64 zlib-1.2.11-25.el8.x86_64

(gdb) where

#0  0x00007ffff6f53178 in x509_name_ex_i2d () from /usr/lib64/libcrypto.so.1.1

#1  0x00007ffff6de67ac in ASN1_item_ex_i2d () from /usr/lib64/libcrypto.so.1.1

#2  0x00007ffff6de6c29 in asn1_template_ex_i2d () from /usr/lib64/libcrypto.so.1.1

#3  0x00007ffff6de66b7 in ASN1_item_ex_i2d () from /usr/lib64/libcrypto.so.1.1

#4  0x00007ffff6de69f7 in asn1_item_flags_i2d () from /usr/lib64/libcrypto.so.1.1

#5  0x00007ffff7b7ae5b in PKI_X509_VALUE_get_tbs_asn1 (v=<optimized out>, type=<optimized out>) at pki_x509.c:529

#6  0x00007ffff7b8c908 in PKI_X509_sign (x=x@entry=0x628e70, digest=digest@entry=0x7ffff7209d00, key=key@entry=0x62ef50) at hsm_main.c:527

#7  0x00007ffff7b84e1c in PKI_X509_REQ_new (k=0x62ef50, subj_s=subj_s@entry=0x7fffffffe485 "C=JP, O=KEK, OU=CRC, CN=\"KEK GRID Certificate Authority\"",

    req_cnf=req_cnf@entry=0x0, oids=<optimized out>, digest=0x7ffff7209d00, hsm=<optimized out>) at pki_x509_req.c:205

#8  0x00007ffff7b76bd1 in PKI_TOKEN_new_req (profile_s=0x0, subject=0x7fffffffe485 "C=JP, O=KEK, OU=CRC, CN=\"KEK GRID Certificate Authority\"", tk=0x62a4c0)

    at token.c:2254

#9  PKI_TOKEN_new_req (tk=tk@entry=0x62a4c0, subject=subject@entry=0x7fffffffe485 "C=JP, O=KEK, OU=CRC, CN=\"KEK GRID Certificate Authority\"",

    profile_s=profile_s@entry=0x0) at token.c:2211

#10 0x0000000000402ef2 in main (argc=<optimized out>, argv=<optimized out>) at pki-tool.c:906

(gdb)



If anyone gave me a point where I have to start investigation, it will help me

Thankyou

Yasushi Fujimoto

[Openca-ocspd] Attempting to build from source - libpki ok, but openca-ocspd failing

[ohaya <oh...@ya...>]

Hi,

Since I am kind of stuck with using the 2 RPMs to try to install the OCSP responder, I decided to try to build from source.

I downloaded the openca-ocspd-master.zip and the libpki-master.zip,

I can configure, make, and make install libpki.  However when I try to build openca-ocspd using:

./configure --prefix=/apps/oracle/ocspd --with-libpki-prefix=/apps/oracle/libpki

That step works, but when I try to compile, I am getting this:

 make
Making all in src
make[1]: Entering directory `/tmp/jl/openca-ocspd-master/src'
Making all in ocspd
make[2]: Entering directory `/tmp/jl/openca-ocspd-master/src/ocspd'
gcc -DHAVE_CONFIG_H -I. -I../../src/ocspd/includes  -I.  -I/apps/oracle/libpki/include -DENABLE_ECDSA=1 -I/usr/include/libxml2   -g -O2 -fstack-check -maccumulate-outgoing-args -Werror -Wfatal-errors -MT ocspd-ocspd.o -MD -MP -MF .deps/ocspd-ocspd.Tpo -c -o ocspd-ocspd.o `test -f 'ocspd.c' || echo './'`ocspd.c
mv -f .deps/ocspd-ocspd.Tpo .deps/ocspd-ocspd.Po
gcc -DHAVE_CONFIG_H -I. -I../../src/ocspd/includes  -I.  -I/apps/oracle/libpki/include -DENABLE_ECDSA=1 -I/usr/include/libxml2   -g -O2 -fstack-check -maccumulate-outgoing-args -Werror -Wfatal-errors -MT ocspd-core.o -MD -MP -MF .deps/ocspd-core.Tpo -c -o ocspd-core.o `test -f 'core.c' || echo './'`core.c
core.c: In function ‘start_threaded_server’:
core.c:55:13: error: ‘PKI_TOKEN_STATUS_KEYPAIR_ERR’ undeclared (first use in this function)
   if (rv & (PKI_TOKEN_STATUS_KEYPAIR_ERR |
             ^
compilation terminated due to -Wfatal-errors.
make[2]: *** [ocspd-core.o] Error 1
make[2]: Leaving directory `/tmp/jl/openca-ocspd-master/src/ocspd'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/tmp/jl/openca-ocspd-master/src'
make: *** [all-recursive] Error 1

If anyone is here, can you tell me what is causing the above error?

Thanks,
Jim

[Openca-ocspd] Problem installing OCSP responder RPM (libpki.so.89()(64bit) is needed by openca-ocspd-3.1.2-1.el7.x86_64)!

[ohaya <oh...@ya...>]

Hi,

I am trying to install the OCSP Responder on a Redhat 7 machine and am having the following problem:

[root@ip-192-168-114-98 jl]# rpm -ivh libpki-0.9.0-1.el7.x86_64.rpm
Preparing...                          ################################# [100%]
Updating / installing...
   1:libpki-0.9.0-1.el7               ################################# [100%]


[root@ip-192-168-114-98 jl]# rpm -ivh openca-ocspd-3.1.2-1.el7.x86_64.rpm
error: Failed dependencies:
        libpki.so.89()(64bit) is needed by openca-ocspd-3.1.2-1.el7.x86_64

I've done some searching and found a couple of msgs with the same error, but no solutions.

Please advise.

Thanks,
Jim

[Openca-ocspd] OCSP Responder 3.1.2 and LibPKI 0.90 RPMs status

[ohaya <oh...@ya...>]

Hi,

It has been awhile since posting!

We are preparing to re-deploy OCSPD to some new RHEL7 machines and I wanted to check if the OCSP Responder v3.1.2 and LibPKI 0.90 RPM downloads below are the correct current ones and are stable?  

openca-ocspd-3.1.2-1.el7.x86_64.rpm
Size: 51 Kb - Downloads: 2418
[Sha1: 43e453fbb8d06e7f1a924d9e49d25cb2074edbdb]

libpki-0.9.0-1.el7.x86_64.rpm
Size: 339 Kb - Downloads: 1562
[Sha1: 4671e10121141a4537ca1ddaddd776509f9e88db]

Thanks,
Jim

Re: [Openca-ocspd] Question about OpenCA OCSPD response for "Revoked-Superceded"?

[<oh...@ya...>]

 Hi,
FYI, please ignore the information below, and also the other email about the other similar situation where I thought that some CRL entries might not be in OCSPD's database from the import.

It looks like I had generated the list of serial numbers that was I was using to drive a load test using one set of CRL files, but the actual OCSPD was using a different set of CRL files.
Sorry!
Jim

    On Monday, August 5, 2019, 9:33:11 PM UTC, oh...@ya... <oh...@ya...> wrote:  
 
 Hi,
I have testing against one of our CRLs, and in there, we have a cert serial 2FB227.  Here's the output from the "openssl crl" for that serial number:
    Serial Number: 2FB227
        Revocation Date: Jul 23 13:43:55 2019 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code:
                Superseded
            Invalidity Date:
                Jul 23 13:43:39 2019 GMT

However, when I run an "openssl ocspd" (send a request) test, against OpenCA OCSPD with this CRL, I am getting this:
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 9FC23C79C5BC28FDCD3EC6E5201AECCD200DABE4
          Issuer Key Hash: 5B91C64436F228F2F8CFB2C2C8CA6349619B200A
          Serial Number: 2FB227
    Request Extensions:
        OCSP Nonce:
            04109ED8FB9BFBBC1900A6B08972EBC308F7
Response verify OK
0x2FB227: good
        This Update: Aug  5 21:27:45 2019 GMT
        Next Update: Aug  5 21:32:45 2019 GMT



So, it looks like, from the CRL, the cert was Revoked, because it was "superceded", and then when I run an OCSP request for the serial number, OpenCA OCSPD is sending an OCSP response that does not indicate that the cert was revoked?
I am not that familiar with the RFC's (and with the "Superceded" reason) but is that a "correct" OCSP response for that revoked entry in the CRL file?
Shouldn't OpenCA OCSPD be sending an OCSP response that indicates that the certificate with that serial number has been Revoked?
Thanks,Jim

  

Re: [Openca-ocspd] Question about OpenCA OCSPD response for "Revoked-Superceded"?

[<oh...@ya...>]

 Hi,
I just realized that the OCSP responses with:
Response verify OK
0x17FF15: good
        This Update: Aug  6 14:18:41 2019 GMT
        Next Update: Aug  6 14:23:41 2019 GMT

are the same as when OCSPD cannot find the serial number??

So it seems like some of the entries that are in the CRL file are NOT in the OCSPD database, i.e., when I do an OCSP request for 17FF15, OCSPD does not have that entry in its database???

Jim



    On Tuesday, August 6, 2019, 2:25:33 PM UTC, oh...@ya... <oh...@ya...> wrote:  
 
 Hi,

This is similar to a case I mentioned in my previout post, but this time it is for a entry in the CRL that is "Key Compromise".

I have testing against one of our CRLs, and in there, we have a cert serial 17FF15.  Here's the output from the "openssl crl" for that serial number:

    Serial Number: 17FF15
        Revocation Date: Sep 27 16:41:12 2018 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code:
                Key Compromise


However, when I run an "openssl ocspd" (send a request) test, against OpenCA OCSPD with this CRL, I am getting this:

OOCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 9FC23C79C5BC28FDCD3EC6E5201AECCD200DABE4
          Issuer Key Hash: 5B91C64436F228F2F8CFB2C2C8CA6349619B200A
          Serial Number: 17FF15
    Request Extensions:
        OCSP Nonce:
            0410C4C258A539DD8568B18DD47058D02E75
Response verify OK
0x17FF15: good
        This Update: Aug  6 14:18:41 2019 GMT
        Next Update: Aug  6 14:23:41 2019 GMT




So, it looks like, from the CRL, the cert was Revoked, because it was "Key Compromise", and then when I run an OCSP request for the serial number, OpenCA OCSPD is sending an OCSP response that does not indicate that the cert was revoked?

Again, I am not that familiar with the RFC's but is that a "correct" OCSP response for that revoked entry in the CRL file?

Shouldn't OpenCA OCSPD be sending an OCSP response that indicates that the certificate with that serial number has been Revoked?

For instance, here is the CRL entry vs. OCSP response for another serial number, 17FF16:
    Serial Number: 17FF16
        Revocation Date: Oct 29 16:55:42 2018 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code:
                Affiliation Changed
            Invalidity Date:
                Oct 29 16:49:18 2018 GMT




OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 9FC23C79C5BC28FDCD3EC6E5201AECCD200DABE4
          Issuer Key Hash: 5B91C64436F228F2F8CFB2C2C8CA6349619B200A
          Serial Number: 17FF16
    Request Extensions:
        OCSP Nonce:
            041070807FF2981BD8E943724399B93011E7
Response verify OK
0x17FF16: revoked
        This Update: Aug  6 14:23:01 2019 GMT
        Next Update: Aug  6 14:28:01 2019 GMT
        Reason: affiliationChanged
        Revocation Time: Oct 29 16:55:42 2018 GMT


Notice the OCSP response for the 17FF16 serial number has:
0x17FF16: revoked
and:
        Reason: affiliationChanged
        Revocation Time: Oct 29 16:55:42 2018 GMT


Thanks,
Jim


  

[Openca-ocspd] Question about OpenCA OCSPD response for "Revoked-Superceded"?

[<oh...@ya...>]

Hi,

This is similar to a case I mentioned in my previout post, but this time it is for a entry in the CRL that is "Key Compromise".

I have testing against one of our CRLs, and in there, we have a cert serial 17FF15.  Here's the output from the "openssl crl" for that serial number:

    Serial Number: 17FF15
        Revocation Date: Sep 27 16:41:12 2018 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code:
                Key Compromise


However, when I run an "openssl ocspd" (send a request) test, against OpenCA OCSPD with this CRL, I am getting this:

OOCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 9FC23C79C5BC28FDCD3EC6E5201AECCD200DABE4
          Issuer Key Hash: 5B91C64436F228F2F8CFB2C2C8CA6349619B200A
          Serial Number: 17FF15
    Request Extensions:
        OCSP Nonce:
            0410C4C258A539DD8568B18DD47058D02E75
Response verify OK
0x17FF15: good
        This Update: Aug  6 14:18:41 2019 GMT
        Next Update: Aug  6 14:23:41 2019 GMT




So, it looks like, from the CRL, the cert was Revoked, because it was "Key Compromise", and then when I run an OCSP request for the serial number, OpenCA OCSPD is sending an OCSP response that does not indicate that the cert was revoked?

Again, I am not that familiar with the RFC's but is that a "correct" OCSP response for that revoked entry in the CRL file?

Shouldn't OpenCA OCSPD be sending an OCSP response that indicates that the certificate with that serial number has been Revoked?

For instance, here is the CRL entry vs. OCSP response for another serial number, 17FF16:
    Serial Number: 17FF16
        Revocation Date: Oct 29 16:55:42 2018 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code:
                Affiliation Changed
            Invalidity Date:
                Oct 29 16:49:18 2018 GMT




OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 9FC23C79C5BC28FDCD3EC6E5201AECCD200DABE4
          Issuer Key Hash: 5B91C64436F228F2F8CFB2C2C8CA6349619B200A
          Serial Number: 17FF16
    Request Extensions:
        OCSP Nonce:
            041070807FF2981BD8E943724399B93011E7
Response verify OK
0x17FF16: revoked
        This Update: Aug  6 14:23:01 2019 GMT
        Next Update: Aug  6 14:28:01 2019 GMT
        Reason: affiliationChanged
        Revocation Time: Oct 29 16:55:42 2018 GMT


Notice the OCSP response for the 17FF16 serial number has:
0x17FF16: revoked
and:
        Reason: affiliationChanged
        Revocation Time: Oct 29 16:55:42 2018 GMT


Thanks,
Jim

[Openca-ocspd] Question about OpenCA OCSPD response for "Revoked-Superceded"?

[<oh...@ya...>]

Hi,
I have testing against one of our CRLs, and in there, we have a cert serial 2FB227.  Here's the output from the "openssl crl" for that serial number:
    Serial Number: 2FB227
        Revocation Date: Jul 23 13:43:55 2019 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code:
                Superseded
            Invalidity Date:
                Jul 23 13:43:39 2019 GMT

However, when I run an "openssl ocspd" (send a request) test, against OpenCA OCSPD with this CRL, I am getting this:
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 9FC23C79C5BC28FDCD3EC6E5201AECCD200DABE4
          Issuer Key Hash: 5B91C64436F228F2F8CFB2C2C8CA6349619B200A
          Serial Number: 2FB227
    Request Extensions:
        OCSP Nonce:
            04109ED8FB9BFBBC1900A6B08972EBC308F7
Response verify OK
0x2FB227: good
        This Update: Aug  5 21:27:45 2019 GMT
        Next Update: Aug  5 21:32:45 2019 GMT



So, it looks like, from the CRL, the cert was Revoked, because it was "superceded", and then when I run an OCSP request for the serial number, OpenCA OCSPD is sending an OCSP response that does not indicate that the cert was revoked?
I am not that familiar with the RFC's (and with the "Superceded" reason) but is that a "correct" OCSP response for that revoked entry in the CRL file?
Shouldn't OpenCA OCSPD be sending an OCSP response that indicates that the certificate with that serial number has been Revoked?
Thanks,Jim

Re: [Openca-ocspd] Will putting CRLs into LDAP server reduce OCSPD memory usage?

[Dr. P. <ma...@op...>]

Hi Jim,

sorry it took me so much time to reply - I admit I missed your message 
:D For adding a support for DB lookup instead of Memory lookup, the 
effort should be not that much. The way I would architect the project 
would be to add support for the specific DB (in LibPKI Pg and MySQL are 
already supported in the URL interface, however I would not suggest to 
query the database through that interface as it is not optimized for 
speed :D), then I would:

  * Upon CRL loading, I would add a function that takes the single
    entries and put them in the database (and maybe remove the entries
    that are expired - sort of cleanup) and then remove the CRL from
    memory (freeing the memory)
  * Repeat for all the CRLs you want to serve

This might work but you have to be sure you are not updating the DB from 
different instances of the sevice (i.e., there must be a master that 
updates the DB while all the other instances only perform lookup 
operations in the DB).

Possibly, the process that updates the DB could be a separate one (not 
necessarily the OCSPD), while the OCSPD would only perform queries to 
build the responses.

Does this make sense ? Were you thinking about a different type of 
architecture ?

Cheers,
Max


On 7/11/19 9:47 AM, oh...@ya... wrote:
> Hi,
>
> Sorry that it's been awhile since your message below.
>
> We *MAY* be able to provide support for adding the DB option, but, if 
> it is not too much trouble, can you give a high-level description of 
> what would be done?  I am still pushing for it here, but I am not 100% 
> sure yet.
>
> Also, would the modifications be in Java?  Or in C/C++?
>
> Thanks,
> Jim
>
>
>
> On Sunday, May 26, 2019, 11:30:31 PM UTC, Dr. Pala 
> <ma...@op...> wrote:
>
>
> Hi Jim,
>
> interesting issue - something I have not considered (memory usage). 
> Unfortunately, the memory usage will not be different because, in the 
> end, after one of the supported/specific transport protocol is used 
> (i.e., LDAP, HTTP, HTTPS, MySQL, PgSQL, etc.) the CRL is then parsed 
> and entries are created based on the entries in the CRL.
>
> One solution to your problem, maybe, would be to sacrifice the speed 
> of response for the possibility to instantiate OCSPDs in small 
> containters/VMs. My assumption is that disk-space is not an issue.
>
> We could think about modifying the OCSPD to work off a small DB4 or 
> similar... this would allow us to create entries in the DB (filesystem 
> entries instead of memory entries). This might require additional time 
> at CRL reload, but the memory usage would be practically constant with 
> the growing of CRLs.
>
> We have been working recently to make sure LibPKI works well with 
> OpenSSL 1.1.+ branches (and add support for CMS in the same context), 
> and the next update I was thinking was related to two different things:
>
>   * Adding a simple Cache mechanism so that the same answer can be
>     cached for its validity period (or up to 80% of its validity
>     period). This would improve the speed for high-frequency
>     certificates' checks
>   * Adding support for OCSPv2 (and DNS distribution end-points). This
>     is something we have been working for a while and would like to
>     standardize at some point. The main idea is to provide responses
>     for "ranges" of certificates instead of for each of the issued
>     certificates. This would provide smaller overhead when large
>     chunks of the issued certs space are not revoked. For revoked
>     entries, there is no much optimization we can do since you need
>     the full revocation data there.
>
> I guess we can add the low-memory architecture as another enhancement, 
> but I am not sure I have the bandwidth right now to work on that - 
> would you like to work on that together and provide some initial 
> thoughts / code ?
>
> Cheers,
> Max
>
> On 5/24/19 1:00 PM, o haya via Openca-ocspd wrote:
> Hi,
>
> I had asked this question awhile ago, but no one responded, so I would 
> like to ask again.
>
> We currently use OCSPD with multiple CRLs (from different CAs).  Some 
> of these CRLs are quite large, and so the OCSPD memory usage is quite 
> large.
>
> However, we have some scenarios where we have machines with only much 
> smaller memory, but we would still like to use OCSPD and with the same 
> CRLs.
>
> All of our machines include an LDAP server, and from the docs, it 
> seems like OCSPD can work with CRLs in LDAP servers, so we were 
> wondering if we made our own tool to import the CRL contents into the 
> LDAP server, and configured OCSPD to use the CRLs in the LDAP server, 
> do you think/know if the overall memory usage would be reduced, 
> compared to our current configuration?
>
> I understand that the memory usage of the LDAP server, when populated 
> with the CRLs, MIGHT be the same, and if so, we'd end up in a 
> "zero-sum" situation, but I wanted to check what you all thought?  Has 
> anyone used OCSPD with the CRL information in an LDAP?
>
> Thanks,
> Jim
>
>
> _______________________________________________
> Openca-ocspd mailing list
> Ope...@li...  <mailto:Ope...@li...>
> https://lists.sourceforge.net/lists/listinfo/openca-ocspd
> -- 
> Best Regards,
> Massimiliano Pala, Ph.D.
> OpenCA Labs Director
> OpenCA Logo
> _______________________________________________
> Openca-ocspd mailing list
> Ope...@li... 
> <mailto:Ope...@li...>
> https://lists.sourceforge.net/lists/listinfo/openca-ocspd
-- 
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo

Re: [Openca-ocspd] Will putting CRLs into LDAP server reduce OCSPD memory usage?

[<oh...@ya...>]

 Hi,
Sorry that it's been awhile since your message below.  

We *MAY* be able to provide support for adding the DB option, but, if it is not too much trouble, can you give a high-level description of what would be done?  I am still pushing for it here, but I am not 100% sure yet.

Also, would the modifications be in Java?  Or in C/C++?
Thanks,Jim



    On Sunday, May 26, 2019, 11:30:31 PM UTC, Dr. Pala <ma...@op...> wrote:  
 
  
Hi Jim,
 
interesting issue - something I have not considered (memory usage). Unfortunately, the memory usage will not be different because, in the end, after one of the supported/specific transport protocol is used (i.e., LDAP, HTTP, HTTPS, MySQL, PgSQL, etc.) the CRL is then parsed and entries are created based on the entries in the CRL.
 
One solution to your problem, maybe, would be to sacrifice the speed of response for the possibility to instantiate OCSPDs in small containters/VMs. My assumption is that disk-space is not an issue.
 
We could think about modifying the OCSPD to work off a small DB4 or similar... this would allow us to create entries in the DB (filesystem entries instead of memory entries). This might require additional time at CRL reload, but the memory usage would be practically constant with the growing of CRLs.
 
We have been working recently to make sure LibPKI works well with OpenSSL 1.1.+ branches (and add support for CMS in the same context), and the next update I was thinking was related to two different things:
    
   - Adding a simple Cache mechanism so that the same answer can be cached for its validity period (or up to 80% of its validity period). This would improve the speed for high-frequency certificates' checks
   - Adding support for OCSPv2 (and DNS distribution end-points). This is something we have been working for a while and would like to standardize at some point. The main idea is to provide responses for "ranges" of certificates instead of for each of the issued certificates. This would provide smaller overhead when large chunks of the issued certs space are not revoked. For revoked entries, there is no much optimization we can do since you need the full revocation data there.
 
I guess we can add the low-memory architecture as another enhancement, but I am not sure I have the bandwidth right now to work on that - would you like to work on that together and provide some initial thoughts / code ?
 
Cheers,
 Max
 
 
 On 5/24/19 1:00 PM, o haya via Openca-ocspd wrote:
  
 
 Hi, 
  I had asked this question awhile ago, but no one responded, so I would like to ask again. 
  We currently use OCSPD with multiple CRLs (from different CAs).  Some of these CRLs are quite large, and so the OCSPD memory usage is quite large. 
  However, we have some scenarios where we have machines with only much smaller memory, but we would still like to use OCSPD and with the same CRLs.  
  
  All of our machines include an LDAP server, and from the docs, it seems like OCSPD can work with CRLs in LDAP servers, so we were wondering if we made our own tool to import the CRL contents into the LDAP server, and configured OCSPD to use the CRLs in the LDAP server, do you think/know if the overall memory usage would be reduced, compared to our current configuration? 
  I understand that the memory usage of the LDAP server, when populated with the CRLs, MIGHT be the same, and if so, we'd end up in a "zero-sum" situation, but I wanted to check what you all thought?  Has anyone used OCSPD with the CRL information in an LDAP?  
  
  Thanks, Jim
   
  
  _______________________________________________
Openca-ocspd mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/openca-ocspd
 -- 
  Best Regards,  Massimiliano Pala, Ph.D.
 OpenCA Labs Director
  
   _______________________________________________
Openca-ocspd mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/openca-ocspd
  

Re: [Openca-ocspd] Will putting CRLs into LDAP server reduce OCSPD memory usage?

[Dr. P. <ma...@op...>]

Hi Jim,

interesting issue - something I have not considered (memory usage). 
Unfortunately, the memory usage will not be different because, in the 
end, after one of the supported/specific transport protocol is used 
(i.e., LDAP, HTTP, HTTPS, MySQL, PgSQL, etc.) the CRL is then parsed and 
entries are created based on the entries in the CRL.

One solution to your problem, maybe, would be to sacrifice the speed of 
response for the possibility to instantiate OCSPDs in small 
containters/VMs. My assumption is that disk-space is not an issue.

We could think about modifying the OCSPD to work off a small DB4 or 
similar... this would allow us to create entries in the DB (filesystem 
entries instead of memory entries). This might require additional time 
at CRL reload, but the memory usage would be practically constant with 
the growing of CRLs.

We have been working recently to make sure LibPKI works well with 
OpenSSL 1.1.+ branches (and add support for CMS in the same context), 
and the next update I was thinking was related to two different things:

  * Adding a simple Cache mechanism so that the same answer can be
    cached for its validity period (or up to 80% of its validity
    period). This would improve the speed for high-frequency
    certificates' checks
  * Adding support for OCSPv2 (and DNS distribution end-points). This is
    something we have been working for a while and would like to
    standardize at some point. The main idea is to provide responses for
    "ranges" of certificates instead of for each of the issued
    certificates. This would provide smaller overhead when large chunks
    of the issued certs space are not revoked. For revoked entries,
    there is no much optimization we can do since you need the full
    revocation data there.

I guess we can add the low-memory architecture as another enhancement, 
but I am not sure I have the bandwidth right now to work on that - would 
you like to work on that together and provide some initial thoughts / code ?

Cheers,
Max

On 5/24/19 1:00 PM, o haya via Openca-ocspd wrote:
> Hi,
>
> I had asked this question awhile ago, but no one responded, so I would 
> like to ask again.
>
> We currently use OCSPD with multiple CRLs (from different CAs).  Some 
> of these CRLs are quite large, and so the OCSPD memory usage is quite 
> large.
>
> However, we have some scenarios where we have machines with only much 
> smaller memory, but we would still like to use OCSPD and with the same 
> CRLs.
>
> All of our machines include an LDAP server, and from the docs, it 
> seems like OCSPD can work with CRLs in LDAP servers, so we were 
> wondering if we made our own tool to import the CRL contents into the 
> LDAP server, and configured OCSPD to use the CRLs in the LDAP server, 
> do you think/know if the overall memory usage would be reduced, 
> compared to our current configuration?
>
> I understand that the memory usage of the LDAP server, when populated 
> with the CRLs, MIGHT be the same, and if so, we'd end up in a 
> "zero-sum" situation, but I wanted to check what you all thought?  Has 
> anyone used OCSPD with the CRL information in an LDAP?
>
> Thanks,
> Jim
>
>
> _______________________________________________
> Openca-ocspd mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openca-ocspd
-- 
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo

[Openca-ocspd] Will putting CRLs into LDAP server reduce OCSPD memory usage?

[o h. <oh...@ya...>]

Hi,
I had asked this question awhile ago, but no one responded, so I would like to ask again.
We currently use OCSPD with multiple CRLs (from different CAs).  Some of these CRLs are quite large, and so the OCSPD memory usage is quite large.
However, we have some scenarios where we have machines with only much smaller memory, but we would still like to use OCSPD and with the same CRLs.  

All of our machines include an LDAP server, and from the docs, it seems like OCSPD can work with CRLs in LDAP servers, so we were wondering if we made our own tool to import the CRL contents into the LDAP server, and configured OCSPD to use the CRLs in the LDAP server, do you think/know if the overall memory usage would be reduced, compared to our current configuration?
I understand that the memory usage of the LDAP server, when populated with the CRLs, MIGHT be the same, and if so, we'd end up in a "zero-sum" situation, but I wanted to check what you all thought?  Has anyone used OCSPD with the CRL information in an LDAP?  

Thanks,Jim

Re: [Openca-ocspd] Building ocspd from files from github

[Martin H. <he...@hl...>]

Hi Jim,

I'm not maintainer of the projects. Max (Dr. Massimiliano Pala) is the
owner of the projects and he has to do the merge (or someone else to
whom he might have granted the privileges to do so).
Anyhow, I have created pull requests
(https://github.com/openca/libpki/pull/41 and
https://github.com/openca/openca-ocspd/pull/46) to merge the necessary
changes upstream. I'll let you know when they are accepted and merged.

Cheers, Martin

On 4/27/19 1:24 AM, o haya wrote:
> [...]
>
> Martin,
> Can you let me know when you have done the commit and merge(?) and I will try to rebuild again after that?
> Thanks!!
> Jim
>
>

Re: [Openca-ocspd] Building ocspd from files from github

[o h. <oh...@ya...>]

 Hi,
Please ignore what I said about the error.  I think that there was something wrong with my configuration files.
I ran the newest ocspd (built using the 2nd bugfixes + the patch):
/apps/oracle/ocspd-bugfixes-2/sbin/ocspd -c /apps/oracle/ocspd/etc/ocspd/ocspd.xml -debug -stdout -v
and then the new ocspd started up correctly.
So, bottom line is it appears that the ocspd can be built on RHEL 6.10 using gcc 4.4.7 with the 2nd bugfixes + the patch for general.h.


Martin,
Can you let me know when you have done the commit and merge(?) and I will try to rebuild again after that?
Thanks!!
Jim




    On Friday, April 26, 2019, 9:11:54 PM UTC, o haya via Openca-ocspd <ope...@li...> wrote:  
 
  Hi,
I think that I needed to also run the patch that you provided awhile ago.
After I did that, I was able to build ocspd.
However, I am having trouble running the new ocspd.
I get the following when only the self-cert.xml is in the ca.d directory:
[orcladmin@ip-192-168-0-95 sbin]$ ls /apps/oracle/ocspd-bugfixes-2/etc/ocspd/ca.d                                                    

BACKUP  self-certs.xml

[orcladmin@ip-192-168-0-95 sbin]$ /apps/oracle/ocspd-bugfixes-2/sbin/ocspd -c /apps/oracle/ocspd-bugfixes-2/etc/ocspd/ocspd.xml -debug -stdout -v

OpenCA's OCSP Responder - v3.1.2 (Build: Fri Apr 26 20:37:46 UTC 2019)
(c) 2002-2018 by Massimiliano Pala and OpenCA Project
    OpenCA licensed software

Apr 26 21:10:05 2019 GMT [18470] GENERAL: OpenCA OCSPD v3.1.2 (Fri Apr 26 20:37:46 UTC 2019)- starting.
Apr 26 21:10:05 2019 GMT [18470] INFO: [token.c:2574] [DEBUG] ERROR, can not load directory /home/orcladmin/.libpki/profile.d!
Apr 26 21:10:05 2019 GMT [18470] INFO: [token.c:831] [DEBUG] Can not load profiles (/home/orcladmin/.libpki/profile.d)

Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:866] [DEBUG] Skipping file ..
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:866] [DEBUG] Skipping file .
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:866] [DEBUG] Skipping file BACKUP
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:876] [DEBUG] Loading file /apps/oracle/ocspd-bugfixes-2/etc/ocspd/ca.d/self-certs.xml
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:892] [DEBUG] Loaded /apps/oracle/ocspd-bugfixes-2/etc/ocspd/ca.d/self-certs.xml file
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/security/chrootDir, Position: -1]
Apr 26 21:10:05 2019 GMT [18470] INFO: [config.c:277] [DEBUG] Selected response digest algorithm: SHA1
Apr 26 21:10:05 2019 GMT [18470] INFO: [config.c:298] [DEBUG] Selected signature digest algorithm: SHA256
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbUrl, Position: -1]
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbPersistant, Position: -1]
Apr 26 21:10:05 2019 GMT [18470] INFO: [config.c:394] [DEBUG] Building CA List
Apr 26 21:10:05 2019 GMT [18470] GENERAL: Processing Configuration for [CA: MySelf]
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1]
Apr 26 21:10:05 2019 GMT [18470] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL []
Apr 26 21:10:05 2019 GMT [18470] ERROR: [config.c:475] [ERROR] Can not get CA cert [CA: etc/ocspd/certs/cacert.pem, URL: MySelf]
Apr 26 21:10:05 2019 GMT [18470] INFO: Configuration loaded and parsed
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:784] [DEBUG] GOT SEARCH PATHS => 1
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:797] [DEBUG] SEARCHING FOR ocspServerToken in dir /apps/oracle/ocspd-bugfixes-2/etc/ocspd/pki/token.d
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:692] [DEBUG] Processing file [..]
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:696] [DEBUG] Skipping ..
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:692] [DEBUG] Processing file [eracom.xml]
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:710] [DEBUG] Opening File /apps/oracle/ocspd-bugfixes-2/etc/ocspd/pki/token.d/eracom.xml
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:722] [DEBUG] Getting Name Param...
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:728] [DEBUG] Got Name::Eracom
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:692] [DEBUG] Processing file [software.xml]
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:710] [DEBUG] Opening File /apps/oracle/ocspd-bugfixes-2/etc/ocspd/pki/token.d/software.xml
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:722] [DEBUG] Getting Name Param...
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:728] [DEBUG] Got Name::ocspServerToken
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:736] [DEBUG] File successfully loaded /apps/oracle/ocspd-bugfixes-2/etc/ocspd/pki/token.d/software.xml
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:801] [DEBUG] FOUND => ocspServerToken [/apps/oracle/ocspd-bugfixes-2/etc/ocspd/pki/token.d]
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /tokenConfig/password, Position: -1]
Apr 26 21:10:05 2019 GMT [18470] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL [▒▒▒]
Apr 26 21:10:05 2019 GMT [18470] ERROR: [token.c:692] Can not load Token certificate
Apr 26 21:10:05 2019 GMT [18470] ERROR: [token.c:839] Can not load Token's Profile => ocspServerToken
Apr 26 21:10:05 2019 GMT [18470] ERROR: [core.c:42] [ERROR] Can not load default token (/apps/oracle/ocspd-bugfixes-2/etc/ocspd/ocspd.xml/ocspServerToken)
Apr 26 21:10:05 2019 GMT [18470] NOTICE: Exiting, Glad to serve you, Master!


In other words, it just starts and then dies/exits.
Jim







    On Friday, April 26, 2019, 5:58:40 PM UTC, o haya via Openca-ocspd <ope...@li...> wrote:  
 
  Hi Martin,
So I should just download this ZIP and re-build libpki:
https://github.com/mrbaseman/libpki/tree/bugfixes
?
Do I have to wait for a merge?  Or do I just download the above?
Thanks,Jim

    On Thursday, April 25, 2019, 3:06:45 PM UTC, Martin Hecht <he...@hl...> wrote:  
 
 Hi Jim,

I think I have found the problem, at least with
https://github.com/mrbaseman/libpki/commit/34fe3f3febb37f7b40cc03bc4f8dd99dbab209f7
ocspd loads our crl when compiled on SL 6 and does not crash anymore.
The commit is in my "bugfixes" branch.

@Max: It has been added to #41 for libpki, and I have also opened #46
for ocspd for building it on RHEL 6.x and derivates

Cheers, Martin

On 4/19/19 1:24 AM, o haya via Openca-ocspd wrote:
>  Hi,
> Do you have any idea about what is causing the segfault?  It seems like the only CRL it works with now is the collegeca one (at least for me).  What is it about the collegeca one that allows it to work?
> Thanks,Jim
>
>

  _______________________________________________
Openca-ocspd mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/openca-ocspd
  _______________________________________________
Openca-ocspd mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/openca-ocspd
  

Re: [Openca-ocspd] Building ocspd from files from github

[o h. <oh...@ya...>]

 Hi,
I think that I needed to also run the patch that you provided awhile ago.
After I did that, I was able to build ocspd.
However, I am having trouble running the new ocspd.
I get the following when only the self-cert.xml is in the ca.d directory:
[orcladmin@ip-192-168-0-95 sbin]$ ls /apps/oracle/ocspd-bugfixes-2/etc/ocspd/ca.d                                                    

BACKUP  self-certs.xml

[orcladmin@ip-192-168-0-95 sbin]$ /apps/oracle/ocspd-bugfixes-2/sbin/ocspd -c /apps/oracle/ocspd-bugfixes-2/etc/ocspd/ocspd.xml -debug -stdout -v

OpenCA's OCSP Responder - v3.1.2 (Build: Fri Apr 26 20:37:46 UTC 2019)
(c) 2002-2018 by Massimiliano Pala and OpenCA Project
    OpenCA licensed software

Apr 26 21:10:05 2019 GMT [18470] GENERAL: OpenCA OCSPD v3.1.2 (Fri Apr 26 20:37:46 UTC 2019)- starting.
Apr 26 21:10:05 2019 GMT [18470] INFO: [token.c:2574] [DEBUG] ERROR, can not load directory /home/orcladmin/.libpki/profile.d!
Apr 26 21:10:05 2019 GMT [18470] INFO: [token.c:831] [DEBUG] Can not load profiles (/home/orcladmin/.libpki/profile.d)

Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:866] [DEBUG] Skipping file ..
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:866] [DEBUG] Skipping file .
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:866] [DEBUG] Skipping file BACKUP
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:876] [DEBUG] Loading file /apps/oracle/ocspd-bugfixes-2/etc/ocspd/ca.d/self-certs.xml
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:892] [DEBUG] Loaded /apps/oracle/ocspd-bugfixes-2/etc/ocspd/ca.d/self-certs.xml file
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/security/chrootDir, Position: -1]
Apr 26 21:10:05 2019 GMT [18470] INFO: [config.c:277] [DEBUG] Selected response digest algorithm: SHA1
Apr 26 21:10:05 2019 GMT [18470] INFO: [config.c:298] [DEBUG] Selected signature digest algorithm: SHA256
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbUrl, Position: -1]
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbPersistant, Position: -1]
Apr 26 21:10:05 2019 GMT [18470] INFO: [config.c:394] [DEBUG] Building CA List
Apr 26 21:10:05 2019 GMT [18470] GENERAL: Processing Configuration for [CA: MySelf]
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1]
Apr 26 21:10:05 2019 GMT [18470] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL []
Apr 26 21:10:05 2019 GMT [18470] ERROR: [config.c:475] [ERROR] Can not get CA cert [CA: etc/ocspd/certs/cacert.pem, URL: MySelf]
Apr 26 21:10:05 2019 GMT [18470] INFO: Configuration loaded and parsed
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:784] [DEBUG] GOT SEARCH PATHS => 1
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:797] [DEBUG] SEARCHING FOR ocspServerToken in dir /apps/oracle/ocspd-bugfixes-2/etc/ocspd/pki/token.d
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:692] [DEBUG] Processing file [..]
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:696] [DEBUG] Skipping ..
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:692] [DEBUG] Processing file [eracom.xml]
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:710] [DEBUG] Opening File /apps/oracle/ocspd-bugfixes-2/etc/ocspd/pki/token.d/eracom.xml
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:722] [DEBUG] Getting Name Param...
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:728] [DEBUG] Got Name::Eracom
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:692] [DEBUG] Processing file [software.xml]
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:710] [DEBUG] Opening File /apps/oracle/ocspd-bugfixes-2/etc/ocspd/pki/token.d/software.xml
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:722] [DEBUG] Getting Name Param...
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:728] [DEBUG] Got Name::ocspServerToken
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:736] [DEBUG] File successfully loaded /apps/oracle/ocspd-bugfixes-2/etc/ocspd/pki/token.d/software.xml
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:801] [DEBUG] FOUND => ocspServerToken [/apps/oracle/ocspd-bugfixes-2/etc/ocspd/pki/token.d]
Apr 26 21:10:05 2019 GMT [18470] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /tokenConfig/password, Position: -1]
Apr 26 21:10:05 2019 GMT [18470] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL [▒▒▒]
Apr 26 21:10:05 2019 GMT [18470] ERROR: [token.c:692] Can not load Token certificate
Apr 26 21:10:05 2019 GMT [18470] ERROR: [token.c:839] Can not load Token's Profile => ocspServerToken
Apr 26 21:10:05 2019 GMT [18470] ERROR: [core.c:42] [ERROR] Can not load default token (/apps/oracle/ocspd-bugfixes-2/etc/ocspd/ocspd.xml/ocspServerToken)
Apr 26 21:10:05 2019 GMT [18470] NOTICE: Exiting, Glad to serve you, Master!


In other words, it just starts and then dies/exits.
Jim







    On Friday, April 26, 2019, 5:58:40 PM UTC, o haya via Openca-ocspd <ope...@li...> wrote:  
 
  Hi Martin,
So I should just download this ZIP and re-build libpki:
https://github.com/mrbaseman/libpki/tree/bugfixes
?
Do I have to wait for a merge?  Or do I just download the above?
Thanks,Jim

    On Thursday, April 25, 2019, 3:06:45 PM UTC, Martin Hecht <he...@hl...> wrote:  
 
 Hi Jim,

I think I have found the problem, at least with
https://github.com/mrbaseman/libpki/commit/34fe3f3febb37f7b40cc03bc4f8dd99dbab209f7
ocspd loads our crl when compiled on SL 6 and does not crash anymore.
The commit is in my "bugfixes" branch.

@Max: It has been added to #41 for libpki, and I have also opened #46
for ocspd for building it on RHEL 6.x and derivates

Cheers, Martin

On 4/19/19 1:24 AM, o haya via Openca-ocspd wrote:
>  Hi,
> Do you have any idea about what is causing the segfault?  It seems like the only CRL it works with now is the collegeca one (at least for me).  What is it about the collegeca one that allows it to work?
> Thanks,Jim
>
>

  _______________________________________________
Openca-ocspd mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/openca-ocspd
  

Re: [Openca-ocspd] Building ocspd from files from github

[o h. <oh...@ya...>]

 Hi Martin,
So I should just download this ZIP and re-build libpki:
https://github.com/mrbaseman/libpki/tree/bugfixes
?
Do I have to wait for a merge?  Or do I just download the above?
Thanks,Jim

    On Thursday, April 25, 2019, 3:06:45 PM UTC, Martin Hecht <he...@hl...> wrote:  
 
 Hi Jim,

I think I have found the problem, at least with
https://github.com/mrbaseman/libpki/commit/34fe3f3febb37f7b40cc03bc4f8dd99dbab209f7
ocspd loads our crl when compiled on SL 6 and does not crash anymore.
The commit is in my "bugfixes" branch.

@Max: It has been added to #41 for libpki, and I have also opened #46
for ocspd for building it on RHEL 6.x and derivates

Cheers, Martin

On 4/19/19 1:24 AM, o haya via Openca-ocspd wrote:
>  Hi,
> Do you have any idea about what is causing the segfault?  It seems like the only CRL it works with now is the collegeca one (at least for me).  What is it about the collegeca one that allows it to work?
> Thanks,Jim
>
>

  

Re: [Openca-ocspd] Building ocspd from files from github

[Martin H. <he...@hl...>]

Hi Jim,

I think I have found the problem, at least with
https://github.com/mrbaseman/libpki/commit/34fe3f3febb37f7b40cc03bc4f8dd99dbab209f7
ocspd loads our crl when compiled on SL 6 and does not crash anymore.
The commit is in my "bugfixes" branch.

@Max: It has been added to #41 for libpki, and I have also opened #46
for ocspd for building it on RHEL 6.x and derivates

Cheers, Martin

On 4/19/19 1:24 AM, o haya via Openca-ocspd wrote:
>  Hi,
> Do you have any idea about what is causing the segfault?  It seems like the only CRL it works with now is the collegeca one (at least for me).  What is it about the collegeca one that allows it to work?
> Thanks,Jim
>
>

Re: [Openca-ocspd] Building ocspd from files from github

[o h. <oh...@ya...>]

 Hi,
Sorry.  I was re-reading my message below, and I think that the last line was kind of unclear.
What I meant to say with that last line was:
"That seems to suggest that it is at least POSSIBLE, to get an ocspd THAT IS BUILT ON RHEL 6.10, to run on RHEL 6.10?"
Mind you, I don't know *HOW* to do that yet, because the ocspd that I built on RHEL 6.10 segfaults when I run it with any of our CRLs configured (but the ocspd that I built on RHEL 6.10 does work when only the collegeca CRL is configured).
So I am trying to figure out what is different between the collegeca CRL configuration vs. any of my CRL configurations, which is causing ocspd to segfault.  

I have tried running in debug and that doesn't really provide much info (it just segfaults) and also tried running ocspd under strace and again, that doesn't give much additional information.
Thanks,Jim



    On Friday, April 19, 2019, 10:07:05 AM UTC, o haya via Openca-ocspd <ope...@li...> wrote:  
 
  Hi,
I think that I posted about this earlier, and that I was able to get ocspd running on a RHEL 6.10 instance, by building libpki and ocspd on a RHEL 7.6 system, and then copying of the libpki folder and the ocspd folder from the RHEL 7.6 system to the target RHEL 6.10 instance and then building "parallel" GLIBC 2.14 on the RHEL 6.10 system and adding that parallel GLIBC 2.14 to the LD_LIBRARY_PATH.
And that ocspd on RHEL 6.10 then seemed to be able to run, including our normal CRL files, etc. in the configuration.
That seems to suggest that it is at least possible to get the ocspd to run on RHEL 6.10?
Jim



    On Thursday, April 18, 2019, 11:24:53 PM UTC, o haya via Openca-ocspd <ope...@li...> wrote:  
 
  Hi,
Do you have any idea about what is causing the segfault?  It seems like the only CRL it works with now is the collegeca one (at least for me).  What is it about the collegeca one that allows it to work?
Thanks,Jim

    On Thursday, April 18, 2019, 4:15:55 PM UTC, o haya <oh...@ya...> wrote:  
 
  [Added the mailing list back into the email... Sorry]


    On Thursday, April 18, 2019, 3:04:24 PM UTC, o haya <oh...@ya...> wrote:  
 
  I ran the ocspd pointing to our configuration and it looks like this is where it is blowing up:
./ocspd -c /apps/oracle/ocspd/etc/ocspd/ocspd.xml -debug -stdout
...

Apr 18 14:57:37 2019 GMT [10335] INFO: [config.c:394] [DEBUG] Building CA List
Apr 18 14:57:37 2019 GMT [10335] GENERAL: Processing Configuration for [CA: EntrustCA.crl]
Apr 18 14:57:37 2019 GMT [10335] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1]
Apr 18 14:57:37 2019 GMT [10335] INFO: [config.c:623] [DEBUG] CRL Downloading Process Started [CA: EntrustCA.crl, URL: file:///apps/oracle/crl/golden/EntrustCA.crl]
Apr 18 14:57:37 2019 GMT [10335] INFO: [config.c:837] [DEBUG] CRL loaded successfully [URL: file:///apps/oracle/crl/golden/EntrustCA.crl]
Apr 18 14:57:37 2019 GMT [10335] INFO: [crl.c:213] [DEBUG] Got the public key from the CA cert [Scheme: RSA, Key Size: 2048]
Segmentation fault (core dumped)






    On Thursday, April 18, 2019, 2:49:28 PM UTC, o haya <oh...@ya...> wrote:  
 
  Hi,
Oh oh... I got the following when I ran ocspd using our normal config files, etc.:
[root@ip-192-168-0-95 init.d]# ./ocspd-bugfixes start
Starting OCSP Responder: ./ocspd-bugfixes: line 39: 10259 Segmentation fault      (core dumped) ${ocspd} -c "${conf}" -d
Error, check logs!


Where do I look for the logs that it is mentioning?

Jim


    On Thursday, April 18, 2019, 10:59:51 AM UTC, Martin Hecht <he...@hl...> wrote:  
 
 Hi Jim,

looks good so far. You still have the example files in the config (the
College ca, Darmouth and example Token configurations, and as far as I
can see you have not configured your own CRL location, ca cert etc.).
At least in my environment it did not work to the point where it sais
"NOTICE: Exiting, Glad to serve you, Master!" in debug mode. It has
crashed earlier, but maybe it's something with loading the certificate
or the crl from file. But maybe you don't run into that problem (e.g.
because your ca uses different algorithms).

Martin


On 4/18/19 12:36 PM, o haya wrote:
>  Hi Martin,
> I applied the patch file to general.h, and I was able to do the make and make install (FYI, I built the libpki and ocspd into /apps/oracle/libpki-bugfixes and /apps/oracle/ocspd-bugfixes, respectively).
>
> Then, I did a test on RHEL 6.10, and I *think* it worked???
>
> Here's the "-debug -stdout" output:
> [orcladmin@ip-192-168-0-95 sbin]$ $ocspd -c $conf -debug -stdout
>
> OpenCA's OCSP Responder - v3.1.2 (Build: Thu Apr 18 10:21:33 UTC 2019)
> (c) 2002-2018 by Massimiliano Pala and OpenCA Project
>     OpenCA licensed software
>
> Apr 18 10:31:30 2019 GMT [9346] GENERAL: OpenCA OCSPD v3.1.2 (Thu Apr 18 10:21:33 UTC 2019)- starting.
> Apr 18 10:31:30 2019 GMT [9346] INFO: [token.c:2574] [DEBUG] ERROR, can not load directory /home/orcladmin/.libpki/profile.d!
> Apr 18 10:31:30 2019 GMT [9346] INFO: [token.c:831] [DEBUG] Can not load profiles (/home/orcladmin/.libpki/profile.d)
>
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:866] [DEBUG] Skipping file ..
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:866] [DEBUG] Skipping file .
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:876] [DEBUG] Loading file /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/collegeca.xml
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:892] [DEBUG] Loaded /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/collegeca.xml file
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:876] [DEBUG] Loading file /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/self-certs.xml
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:892] [DEBUG] Loaded /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/self-certs.xml file
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/security/chrootDir, Position: -1]
> Apr 18 10:31:30 2019 GMT [9346] INFO: [config.c:277] [DEBUG] Selected response digest algorithm: SHA1
> Apr 18 10:31:30 2019 GMT [9346] INFO: [config.c:298] [DEBUG] Selected signature digest algorithm: SHA256
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbUrl, Position: -1]
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbPersistant, Position: -1]
> Apr 18 10:31:30 2019 GMT [9346] INFO: [config.c:394] [DEBUG] Building CA List
> Apr 18 10:31:30 2019 GMT [9346] GENERAL: Processing Configuration for [CA: Dartmouth]
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1]
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_socket.c:105] [DEBUG] Creating a SECURE connection (SSL/TLS)
> Apr 18 10:32:33 2019 GMT [9346] ERROR: Socket Connect failed (Unknown host)!
> Apr 18 10:32:33 2019 GMT [9346] ERROR: Socket _Connect failed (Unknown host)
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_socket.c:156] [ERROR] Can not create network connection to collegeca.dartmouth.edu:443
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL []
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [config.c:475] [ERROR] Can not get CA cert [CA: https://collegeca.dartmouth.edu/certs/DartmouthCA.cer, URL: Dartmouth]
> Apr 18 10:32:33 2019 GMT [9346] GENERAL: Processing Configuration for [CA: MySelf]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1]
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL [▒ T]
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [config.c:475] [ERROR] Can not get CA cert [CA: etc/ocspd/certs/cacert.pem, URL: MySelf]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:784] [DEBUG] GOT SEARCH PATHS => 1
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:797] [DEBUG] SEARCHING FOR ocspServerToken in dir /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:692] [DEBUG] Processing file [..]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:696] [DEBUG] Skipping ..
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:692] [DEBUG] Processing file [eracom.xml]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:710] [DEBUG] Opening File /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d/eracom.xml
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:722] [DEBUG] Getting Name Param...
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:728] [DEBUG] Got Name::Eracom
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:692] [DEBUG] Processing file [software.xml]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:710] [DEBUG] Opening File /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d/software.xml
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:722] [DEBUG] Getting Name Param...
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:728] [DEBUG] Got Name::ocspServerToken
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:736] [DEBUG] File successfully loaded /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d/software.xml
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:801] [DEBUG] FOUND => ocspServerToken [/apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /tokenConfig/password, Position: -1]
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL [ ▒R]
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [token.c:692] Can not load Token certificate
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [token.c:839] Can not load Token's Profile => ocspServerToken
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [core.c:42] [ERROR] Can not load default token (/apps/oracle/ocspd-bugfixes/etc/ocspd/ocspd.xml/ocspServerToken)
> Apr 18 10:32:33 2019 GMT [9346] NOTICE: Exiting, Glad to serve you, Master!
> [orcladmin@ip-192-168-0-95 sbin]$
>
>
>
> When I ran the test.sh:
> [orcladmin@ip-192-168-0-95 bin]$ ./test.sh
>
> OCSP Test Script
> (c) 2006 by Massimiliano Pala and OpenCA Team
>
> Test 78 requests (serial 123):
> [111111111111111111111111111111111111111111111111111111111111111111111111111111
> real    0m0.255s
> user    0m0.149s
> sys     0m0.035s
> ]
>
>
> Does that look all right?  I mean is the ocspd-bugfixes look like it is working?
>
>
>
>
> Jim
>
        _______________________________________________
Openca-ocspd mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/openca-ocspd
  _______________________________________________
Openca-ocspd mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/openca-ocspd
  

[Openca-ocspd] How does sbin/test.sh do, and how does it work?

[o h. <oh...@ya...>]

Hi,
There is a small script named "test.sh" in the ocspd sbin directory, and when it is run, I get:

OCSP Test Script
(c) 2006 by Massimiliano Pala and OpenCA Team

Test 78 requests (serial 123):
[111111111111111111111111111111111111111111111111111111111111111111111111111111
real    0m0.250s
user    0m0.161s
sys     0m0.045s
]

I had assumed that that script was running a test against the actual ocspd, but then I noticed that even when I run it while the ocspd is not running, I get exactly the same output.
So I was looking at the script:
#!/bin/bash

echo
echo "OCSP Test Script"
echo "(c) 2006 by Massimiliano Pala and OpenCA Team"
echo

# if [ $# -lt 3 ] ; then
#       echo "Usage: $0 <CAfile> <Issuer_Cert> <URL>"
#       echo
#       echo "   example:  $0 ca-bundle.pem cacert.pem http://localhost:2560/"
#       echo
#       exit 0
# fi

cabundle=data/europki_root_ca_cert.pem
cacert=data/europki_root_ca_cert.pem
url=http://localhost:2560/

if [ "0$1" -gt 0 ] ; then
        nreq=$1;
else
        nreq=78;
fi

for ser in 123 ; do
        echo "Test $nreq requests (serial $ser):"
        echo -n "["
        time {
                for((i=0;i<$nreq;i++)); do
                        openssl ocsp -CAfile $cabundle \
                                -url $url \
                                -issuer $cacert \
                                -serial $ser 2>/dev/null >/dev/null
                                # -cert test/ocspd_cert.pem 2>/dev/null >/dev/null
                        if [ $? = 0 ] ; then
                                echo -n .
                        else
                                echo -n $?
                        fi
                done
        }
        echo  "]"
        echo
done

exit

And from that, it looks like it is running this command:
openssl ocsp -CAfile data/europki_root_ca_cert.pem -issuer data/europki_root_ca_cert.pem -url http://localhost:2560/ -serial 123
but there is no "data/europki_root_ca_cert.pem" file and also nothing is listening on port 2560, so with all of the above, I am not sure what the test.sh is actually doing and how does it even work?
Thanks,Jim

Re: [Openca-ocspd] Building ocspd from files from github

[o h. <oh...@ya...>]

 Hi,
I think that I posted about this earlier, and that I was able to get ocspd running on a RHEL 6.10 instance, by building libpki and ocspd on a RHEL 7.6 system, and then copying of the libpki folder and the ocspd folder from the RHEL 7.6 system to the target RHEL 6.10 instance and then building "parallel" GLIBC 2.14 on the RHEL 6.10 system and adding that parallel GLIBC 2.14 to the LD_LIBRARY_PATH.
And that ocspd on RHEL 6.10 then seemed to be able to run, including our normal CRL files, etc. in the configuration.
That seems to suggest that it is at least possible to get the ocspd to run on RHEL 6.10?
Jim



    On Thursday, April 18, 2019, 11:24:53 PM UTC, o haya via Openca-ocspd <ope...@li...> wrote:  
 
  Hi,
Do you have any idea about what is causing the segfault?  It seems like the only CRL it works with now is the collegeca one (at least for me).  What is it about the collegeca one that allows it to work?
Thanks,Jim

    On Thursday, April 18, 2019, 4:15:55 PM UTC, o haya <oh...@ya...> wrote:  
 
  [Added the mailing list back into the email... Sorry]


    On Thursday, April 18, 2019, 3:04:24 PM UTC, o haya <oh...@ya...> wrote:  
 
  I ran the ocspd pointing to our configuration and it looks like this is where it is blowing up:
./ocspd -c /apps/oracle/ocspd/etc/ocspd/ocspd.xml -debug -stdout
...

Apr 18 14:57:37 2019 GMT [10335] INFO: [config.c:394] [DEBUG] Building CA List
Apr 18 14:57:37 2019 GMT [10335] GENERAL: Processing Configuration for [CA: EntrustCA.crl]
Apr 18 14:57:37 2019 GMT [10335] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1]
Apr 18 14:57:37 2019 GMT [10335] INFO: [config.c:623] [DEBUG] CRL Downloading Process Started [CA: EntrustCA.crl, URL: file:///apps/oracle/crl/golden/EntrustCA.crl]
Apr 18 14:57:37 2019 GMT [10335] INFO: [config.c:837] [DEBUG] CRL loaded successfully [URL: file:///apps/oracle/crl/golden/EntrustCA.crl]
Apr 18 14:57:37 2019 GMT [10335] INFO: [crl.c:213] [DEBUG] Got the public key from the CA cert [Scheme: RSA, Key Size: 2048]
Segmentation fault (core dumped)






    On Thursday, April 18, 2019, 2:49:28 PM UTC, o haya <oh...@ya...> wrote:  
 
  Hi,
Oh oh... I got the following when I ran ocspd using our normal config files, etc.:
[root@ip-192-168-0-95 init.d]# ./ocspd-bugfixes start
Starting OCSP Responder: ./ocspd-bugfixes: line 39: 10259 Segmentation fault      (core dumped) ${ocspd} -c "${conf}" -d
Error, check logs!


Where do I look for the logs that it is mentioning?

Jim


    On Thursday, April 18, 2019, 10:59:51 AM UTC, Martin Hecht <he...@hl...> wrote:  
 
 Hi Jim,

looks good so far. You still have the example files in the config (the
College ca, Darmouth and example Token configurations, and as far as I
can see you have not configured your own CRL location, ca cert etc.).
At least in my environment it did not work to the point where it sais
"NOTICE: Exiting, Glad to serve you, Master!" in debug mode. It has
crashed earlier, but maybe it's something with loading the certificate
or the crl from file. But maybe you don't run into that problem (e.g.
because your ca uses different algorithms).

Martin


On 4/18/19 12:36 PM, o haya wrote:
>  Hi Martin,
> I applied the patch file to general.h, and I was able to do the make and make install (FYI, I built the libpki and ocspd into /apps/oracle/libpki-bugfixes and /apps/oracle/ocspd-bugfixes, respectively).
>
> Then, I did a test on RHEL 6.10, and I *think* it worked???
>
> Here's the "-debug -stdout" output:
> [orcladmin@ip-192-168-0-95 sbin]$ $ocspd -c $conf -debug -stdout
>
> OpenCA's OCSP Responder - v3.1.2 (Build: Thu Apr 18 10:21:33 UTC 2019)
> (c) 2002-2018 by Massimiliano Pala and OpenCA Project
>     OpenCA licensed software
>
> Apr 18 10:31:30 2019 GMT [9346] GENERAL: OpenCA OCSPD v3.1.2 (Thu Apr 18 10:21:33 UTC 2019)- starting.
> Apr 18 10:31:30 2019 GMT [9346] INFO: [token.c:2574] [DEBUG] ERROR, can not load directory /home/orcladmin/.libpki/profile.d!
> Apr 18 10:31:30 2019 GMT [9346] INFO: [token.c:831] [DEBUG] Can not load profiles (/home/orcladmin/.libpki/profile.d)
>
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:866] [DEBUG] Skipping file ..
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:866] [DEBUG] Skipping file .
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:876] [DEBUG] Loading file /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/collegeca.xml
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:892] [DEBUG] Loaded /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/collegeca.xml file
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:876] [DEBUG] Loading file /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/self-certs.xml
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:892] [DEBUG] Loaded /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/self-certs.xml file
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/security/chrootDir, Position: -1]
> Apr 18 10:31:30 2019 GMT [9346] INFO: [config.c:277] [DEBUG] Selected response digest algorithm: SHA1
> Apr 18 10:31:30 2019 GMT [9346] INFO: [config.c:298] [DEBUG] Selected signature digest algorithm: SHA256
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbUrl, Position: -1]
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbPersistant, Position: -1]
> Apr 18 10:31:30 2019 GMT [9346] INFO: [config.c:394] [DEBUG] Building CA List
> Apr 18 10:31:30 2019 GMT [9346] GENERAL: Processing Configuration for [CA: Dartmouth]
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1]
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_socket.c:105] [DEBUG] Creating a SECURE connection (SSL/TLS)
> Apr 18 10:32:33 2019 GMT [9346] ERROR: Socket Connect failed (Unknown host)!
> Apr 18 10:32:33 2019 GMT [9346] ERROR: Socket _Connect failed (Unknown host)
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_socket.c:156] [ERROR] Can not create network connection to collegeca.dartmouth.edu:443
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL []
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [config.c:475] [ERROR] Can not get CA cert [CA: https://collegeca.dartmouth.edu/certs/DartmouthCA.cer, URL: Dartmouth]
> Apr 18 10:32:33 2019 GMT [9346] GENERAL: Processing Configuration for [CA: MySelf]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1]
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL [▒ T]
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [config.c:475] [ERROR] Can not get CA cert [CA: etc/ocspd/certs/cacert.pem, URL: MySelf]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:784] [DEBUG] GOT SEARCH PATHS => 1
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:797] [DEBUG] SEARCHING FOR ocspServerToken in dir /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:692] [DEBUG] Processing file [..]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:696] [DEBUG] Skipping ..
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:692] [DEBUG] Processing file [eracom.xml]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:710] [DEBUG] Opening File /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d/eracom.xml
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:722] [DEBUG] Getting Name Param...
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:728] [DEBUG] Got Name::Eracom
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:692] [DEBUG] Processing file [software.xml]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:710] [DEBUG] Opening File /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d/software.xml
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:722] [DEBUG] Getting Name Param...
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:728] [DEBUG] Got Name::ocspServerToken
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:736] [DEBUG] File successfully loaded /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d/software.xml
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:801] [DEBUG] FOUND => ocspServerToken [/apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /tokenConfig/password, Position: -1]
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL [ ▒R]
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [token.c:692] Can not load Token certificate
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [token.c:839] Can not load Token's Profile => ocspServerToken
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [core.c:42] [ERROR] Can not load default token (/apps/oracle/ocspd-bugfixes/etc/ocspd/ocspd.xml/ocspServerToken)
> Apr 18 10:32:33 2019 GMT [9346] NOTICE: Exiting, Glad to serve you, Master!
> [orcladmin@ip-192-168-0-95 sbin]$
>
>
>
> When I ran the test.sh:
> [orcladmin@ip-192-168-0-95 bin]$ ./test.sh
>
> OCSP Test Script
> (c) 2006 by Massimiliano Pala and OpenCA Team
>
> Test 78 requests (serial 123):
> [111111111111111111111111111111111111111111111111111111111111111111111111111111
> real    0m0.255s
> user    0m0.149s
> sys     0m0.035s
> ]
>
>
> Does that look all right?  I mean is the ocspd-bugfixes look like it is working?
>
>
>
>
> Jim
>
        _______________________________________________
Openca-ocspd mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/openca-ocspd
  

Re: [Openca-ocspd] Building ocspd from files from github

[o h. <oh...@ya...>]

 Hi,
Do you have any idea about what is causing the segfault?  It seems like the only CRL it works with now is the collegeca one (at least for me).  What is it about the collegeca one that allows it to work?
Thanks,Jim

    On Thursday, April 18, 2019, 4:15:55 PM UTC, o haya <oh...@ya...> wrote:  
 
  [Added the mailing list back into the email... Sorry]


    On Thursday, April 18, 2019, 3:04:24 PM UTC, o haya <oh...@ya...> wrote:  
 
  I ran the ocspd pointing to our configuration and it looks like this is where it is blowing up:
./ocspd -c /apps/oracle/ocspd/etc/ocspd/ocspd.xml -debug -stdout
...

Apr 18 14:57:37 2019 GMT [10335] INFO: [config.c:394] [DEBUG] Building CA List
Apr 18 14:57:37 2019 GMT [10335] GENERAL: Processing Configuration for [CA: EntrustCA.crl]
Apr 18 14:57:37 2019 GMT [10335] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1]
Apr 18 14:57:37 2019 GMT [10335] INFO: [config.c:623] [DEBUG] CRL Downloading Process Started [CA: EntrustCA.crl, URL: file:///apps/oracle/crl/golden/EntrustCA.crl]
Apr 18 14:57:37 2019 GMT [10335] INFO: [config.c:837] [DEBUG] CRL loaded successfully [URL: file:///apps/oracle/crl/golden/EntrustCA.crl]
Apr 18 14:57:37 2019 GMT [10335] INFO: [crl.c:213] [DEBUG] Got the public key from the CA cert [Scheme: RSA, Key Size: 2048]
Segmentation fault (core dumped)






    On Thursday, April 18, 2019, 2:49:28 PM UTC, o haya <oh...@ya...> wrote:  
 
  Hi,
Oh oh... I got the following when I ran ocspd using our normal config files, etc.:
[root@ip-192-168-0-95 init.d]# ./ocspd-bugfixes start
Starting OCSP Responder: ./ocspd-bugfixes: line 39: 10259 Segmentation fault      (core dumped) ${ocspd} -c "${conf}" -d
Error, check logs!


Where do I look for the logs that it is mentioning?

Jim


    On Thursday, April 18, 2019, 10:59:51 AM UTC, Martin Hecht <he...@hl...> wrote:  
 
 Hi Jim,

looks good so far. You still have the example files in the config (the
College ca, Darmouth and example Token configurations, and as far as I
can see you have not configured your own CRL location, ca cert etc.).
At least in my environment it did not work to the point where it sais
"NOTICE: Exiting, Glad to serve you, Master!" in debug mode. It has
crashed earlier, but maybe it's something with loading the certificate
or the crl from file. But maybe you don't run into that problem (e.g.
because your ca uses different algorithms).

Martin


On 4/18/19 12:36 PM, o haya wrote:
>  Hi Martin,
> I applied the patch file to general.h, and I was able to do the make and make install (FYI, I built the libpki and ocspd into /apps/oracle/libpki-bugfixes and /apps/oracle/ocspd-bugfixes, respectively).
>
> Then, I did a test on RHEL 6.10, and I *think* it worked???
>
> Here's the "-debug -stdout" output:
> [orcladmin@ip-192-168-0-95 sbin]$ $ocspd -c $conf -debug -stdout
>
> OpenCA's OCSP Responder - v3.1.2 (Build: Thu Apr 18 10:21:33 UTC 2019)
> (c) 2002-2018 by Massimiliano Pala and OpenCA Project
>     OpenCA licensed software
>
> Apr 18 10:31:30 2019 GMT [9346] GENERAL: OpenCA OCSPD v3.1.2 (Thu Apr 18 10:21:33 UTC 2019)- starting.
> Apr 18 10:31:30 2019 GMT [9346] INFO: [token.c:2574] [DEBUG] ERROR, can not load directory /home/orcladmin/.libpki/profile.d!
> Apr 18 10:31:30 2019 GMT [9346] INFO: [token.c:831] [DEBUG] Can not load profiles (/home/orcladmin/.libpki/profile.d)
>
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:866] [DEBUG] Skipping file ..
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:866] [DEBUG] Skipping file .
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:876] [DEBUG] Loading file /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/collegeca.xml
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:892] [DEBUG] Loaded /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/collegeca.xml file
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:876] [DEBUG] Loading file /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/self-certs.xml
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:892] [DEBUG] Loaded /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/self-certs.xml file
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/security/chrootDir, Position: -1]
> Apr 18 10:31:30 2019 GMT [9346] INFO: [config.c:277] [DEBUG] Selected response digest algorithm: SHA1
> Apr 18 10:31:30 2019 GMT [9346] INFO: [config.c:298] [DEBUG] Selected signature digest algorithm: SHA256
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbUrl, Position: -1]
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbPersistant, Position: -1]
> Apr 18 10:31:30 2019 GMT [9346] INFO: [config.c:394] [DEBUG] Building CA List
> Apr 18 10:31:30 2019 GMT [9346] GENERAL: Processing Configuration for [CA: Dartmouth]
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1]
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_socket.c:105] [DEBUG] Creating a SECURE connection (SSL/TLS)
> Apr 18 10:32:33 2019 GMT [9346] ERROR: Socket Connect failed (Unknown host)!
> Apr 18 10:32:33 2019 GMT [9346] ERROR: Socket _Connect failed (Unknown host)
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_socket.c:156] [ERROR] Can not create network connection to collegeca.dartmouth.edu:443
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL []
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [config.c:475] [ERROR] Can not get CA cert [CA: https://collegeca.dartmouth.edu/certs/DartmouthCA.cer, URL: Dartmouth]
> Apr 18 10:32:33 2019 GMT [9346] GENERAL: Processing Configuration for [CA: MySelf]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1]
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL [▒ T]
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [config.c:475] [ERROR] Can not get CA cert [CA: etc/ocspd/certs/cacert.pem, URL: MySelf]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:784] [DEBUG] GOT SEARCH PATHS => 1
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:797] [DEBUG] SEARCHING FOR ocspServerToken in dir /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:692] [DEBUG] Processing file [..]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:696] [DEBUG] Skipping ..
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:692] [DEBUG] Processing file [eracom.xml]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:710] [DEBUG] Opening File /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d/eracom.xml
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:722] [DEBUG] Getting Name Param...
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:728] [DEBUG] Got Name::Eracom
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:692] [DEBUG] Processing file [software.xml]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:710] [DEBUG] Opening File /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d/software.xml
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:722] [DEBUG] Getting Name Param...
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:728] [DEBUG] Got Name::ocspServerToken
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:736] [DEBUG] File successfully loaded /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d/software.xml
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:801] [DEBUG] FOUND => ocspServerToken [/apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /tokenConfig/password, Position: -1]
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL [ ▒R]
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [token.c:692] Can not load Token certificate
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [token.c:839] Can not load Token's Profile => ocspServerToken
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [core.c:42] [ERROR] Can not load default token (/apps/oracle/ocspd-bugfixes/etc/ocspd/ocspd.xml/ocspServerToken)
> Apr 18 10:32:33 2019 GMT [9346] NOTICE: Exiting, Glad to serve you, Master!
> [orcladmin@ip-192-168-0-95 sbin]$
>
>
>
> When I ran the test.sh:
> [orcladmin@ip-192-168-0-95 bin]$ ./test.sh
>
> OCSP Test Script
> (c) 2006 by Massimiliano Pala and OpenCA Team
>
> Test 78 requests (serial 123):
> [111111111111111111111111111111111111111111111111111111111111111111111111111111
> real    0m0.255s
> user    0m0.149s
> sys     0m0.035s
> ]
>
>
> Does that look all right?  I mean is the ocspd-bugfixes look like it is working?
>
>
>
>
> Jim
>
        

Re: [Openca-ocspd] Building ocspd from files from github

[o h. <oh...@ya...>]

 [Added the mailing list back into the email... Sorry]


    On Thursday, April 18, 2019, 3:04:24 PM UTC, o haya <oh...@ya...> wrote:  
 
  I ran the ocspd pointing to our configuration and it looks like this is where it is blowing up:
./ocspd -c /apps/oracle/ocspd/etc/ocspd/ocspd.xml -debug -stdout
...

Apr 18 14:57:37 2019 GMT [10335] INFO: [config.c:394] [DEBUG] Building CA List
Apr 18 14:57:37 2019 GMT [10335] GENERAL: Processing Configuration for [CA: EntrustCA.crl]
Apr 18 14:57:37 2019 GMT [10335] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1]
Apr 18 14:57:37 2019 GMT [10335] INFO: [config.c:623] [DEBUG] CRL Downloading Process Started [CA: EntrustCA.crl, URL: file:///apps/oracle/crl/golden/EntrustCA.crl]
Apr 18 14:57:37 2019 GMT [10335] INFO: [config.c:837] [DEBUG] CRL loaded successfully [URL: file:///apps/oracle/crl/golden/EntrustCA.crl]
Apr 18 14:57:37 2019 GMT [10335] INFO: [crl.c:213] [DEBUG] Got the public key from the CA cert [Scheme: RSA, Key Size: 2048]
Segmentation fault (core dumped)






    On Thursday, April 18, 2019, 2:49:28 PM UTC, o haya <oh...@ya...> wrote:  
 
  Hi,
Oh oh... I got the following when I ran ocspd using our normal config files, etc.:
[root@ip-192-168-0-95 init.d]# ./ocspd-bugfixes start
Starting OCSP Responder: ./ocspd-bugfixes: line 39: 10259 Segmentation fault      (core dumped) ${ocspd} -c "${conf}" -d
Error, check logs!


Where do I look for the logs that it is mentioning?

Jim


    On Thursday, April 18, 2019, 10:59:51 AM UTC, Martin Hecht <he...@hl...> wrote:  
 
 Hi Jim,

looks good so far. You still have the example files in the config (the
College ca, Darmouth and example Token configurations, and as far as I
can see you have not configured your own CRL location, ca cert etc.).
At least in my environment it did not work to the point where it sais
"NOTICE: Exiting, Glad to serve you, Master!" in debug mode. It has
crashed earlier, but maybe it's something with loading the certificate
or the crl from file. But maybe you don't run into that problem (e.g.
because your ca uses different algorithms).

Martin


On 4/18/19 12:36 PM, o haya wrote:
>  Hi Martin,
> I applied the patch file to general.h, and I was able to do the make and make install (FYI, I built the libpki and ocspd into /apps/oracle/libpki-bugfixes and /apps/oracle/ocspd-bugfixes, respectively).
>
> Then, I did a test on RHEL 6.10, and I *think* it worked???
>
> Here's the "-debug -stdout" output:
> [orcladmin@ip-192-168-0-95 sbin]$ $ocspd -c $conf -debug -stdout
>
> OpenCA's OCSP Responder - v3.1.2 (Build: Thu Apr 18 10:21:33 UTC 2019)
> (c) 2002-2018 by Massimiliano Pala and OpenCA Project
>     OpenCA licensed software
>
> Apr 18 10:31:30 2019 GMT [9346] GENERAL: OpenCA OCSPD v3.1.2 (Thu Apr 18 10:21:33 UTC 2019)- starting.
> Apr 18 10:31:30 2019 GMT [9346] INFO: [token.c:2574] [DEBUG] ERROR, can not load directory /home/orcladmin/.libpki/profile.d!
> Apr 18 10:31:30 2019 GMT [9346] INFO: [token.c:831] [DEBUG] Can not load profiles (/home/orcladmin/.libpki/profile.d)
>
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:866] [DEBUG] Skipping file ..
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:866] [DEBUG] Skipping file .
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:876] [DEBUG] Loading file /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/collegeca.xml
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:892] [DEBUG] Loaded /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/collegeca.xml file
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:876] [DEBUG] Loading file /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/self-certs.xml
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:892] [DEBUG] Loaded /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/self-certs.xml file
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/security/chrootDir, Position: -1]
> Apr 18 10:31:30 2019 GMT [9346] INFO: [config.c:277] [DEBUG] Selected response digest algorithm: SHA1
> Apr 18 10:31:30 2019 GMT [9346] INFO: [config.c:298] [DEBUG] Selected signature digest algorithm: SHA256
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbUrl, Position: -1]
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbPersistant, Position: -1]
> Apr 18 10:31:30 2019 GMT [9346] INFO: [config.c:394] [DEBUG] Building CA List
> Apr 18 10:31:30 2019 GMT [9346] GENERAL: Processing Configuration for [CA: Dartmouth]
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1]
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_socket.c:105] [DEBUG] Creating a SECURE connection (SSL/TLS)
> Apr 18 10:32:33 2019 GMT [9346] ERROR: Socket Connect failed (Unknown host)!
> Apr 18 10:32:33 2019 GMT [9346] ERROR: Socket _Connect failed (Unknown host)
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_socket.c:156] [ERROR] Can not create network connection to collegeca.dartmouth.edu:443
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL []
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [config.c:475] [ERROR] Can not get CA cert [CA: https://collegeca.dartmouth.edu/certs/DartmouthCA.cer, URL: Dartmouth]
> Apr 18 10:32:33 2019 GMT [9346] GENERAL: Processing Configuration for [CA: MySelf]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1]
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL [▒ T]
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [config.c:475] [ERROR] Can not get CA cert [CA: etc/ocspd/certs/cacert.pem, URL: MySelf]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:784] [DEBUG] GOT SEARCH PATHS => 1
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:797] [DEBUG] SEARCHING FOR ocspServerToken in dir /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:692] [DEBUG] Processing file [..]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:696] [DEBUG] Skipping ..
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:692] [DEBUG] Processing file [eracom.xml]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:710] [DEBUG] Opening File /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d/eracom.xml
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:722] [DEBUG] Getting Name Param...
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:728] [DEBUG] Got Name::Eracom
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:692] [DEBUG] Processing file [software.xml]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:710] [DEBUG] Opening File /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d/software.xml
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:722] [DEBUG] Getting Name Param...
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:728] [DEBUG] Got Name::ocspServerToken
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:736] [DEBUG] File successfully loaded /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d/software.xml
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:801] [DEBUG] FOUND => ocspServerToken [/apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /tokenConfig/password, Position: -1]
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL [ ▒R]
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [token.c:692] Can not load Token certificate
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [token.c:839] Can not load Token's Profile => ocspServerToken
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [core.c:42] [ERROR] Can not load default token (/apps/oracle/ocspd-bugfixes/etc/ocspd/ocspd.xml/ocspServerToken)
> Apr 18 10:32:33 2019 GMT [9346] NOTICE: Exiting, Glad to serve you, Master!
> [orcladmin@ip-192-168-0-95 sbin]$
>
>
>
> When I ran the test.sh:
> [orcladmin@ip-192-168-0-95 bin]$ ./test.sh
>
> OCSP Test Script
> (c) 2006 by Massimiliano Pala and OpenCA Team
>
> Test 78 requests (serial 123):
> [111111111111111111111111111111111111111111111111111111111111111111111111111111
> real    0m0.255s
> user    0m0.149s
> sys     0m0.035s
> ]
>
>
> Does that look all right?  I mean is the ocspd-bugfixes look like it is working?
>
>
>
>
> Jim
>
      

Re: [Openca-ocspd] Building ocspd from files from github

[o h. <oh...@ya...>]

 Hi Martin,
I was able to build the libpki using the source from the bugfixes branch.
However, I ran into a problem when I tried to do the 'make' for the ocspd.
[orcladmin@ip-192-168-0-95 openca-ocspd-3.1.2]$ make
Making all in src
make[1]: Entering directory `/apps/STAGING/BUGFIXES-TEST-BUILD-ON-RHEL-6.10/openca-ocspd-3.1.2/src'
Making all in ocspd
make[2]: Entering directory `/apps/STAGING/BUGFIXES-TEST-BUILD-ON-RHEL-6.10/openca-ocspd-3.1.2/src/ocspd'
gcc -DHAVE_CONFIG_H -I. -I../../src/ocspd/includes  -I.  -I/usr/include/libxml2   -g -O2 -fstack-check -maccumulate-outgoing-args -Werror -Wfatal-errors -MT ocspd-ocspd.o -MD -MP -MF .deps/ocspd-ocspd.Tpo -c -o ocspd-ocspd.o `test -f 'ocspd.c' || echo './'`ocspd.c
In file included from ../../src/ocspd/includes/general.h:313,
                 from ocspd.c:9:
../../src/ocspd/includes/cache.h:52: error: redefinition of typedef ‘OCSPD_CACHE’
compilation terminated due to -Wfatal-errors.
make[2]: *** [ocspd-ocspd.o] Error 1
make[2]: Leaving directory `/apps/STAGING/BUGFIXES-TEST-BUILD-ON-RHEL-6.10/openca-ocspd-3.1.2/src/ocspd'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/apps/STAGING/BUGFIXES-TEST-BUILD-ON-RHEL-6.10/openca-ocspd-3.1.2/src'
make: *** [all-recursive] Error 1

NOTE, I was doing both the libpki and ocspd builds in a directory"/apps/STAGING/BUGFIXES-TEST-BUILD-ON-RHEL-6.10/".
For the libpki, I used "./configure --prefix=/apps/oracle/libpki-bugfixes".
Then, for ocspd, I used: "./configure --prefix=/apps/oracle/ocspd-bugfixes --with-libpki-prefix=/apps/oracle/libpki-bugfixes".
Then, I did:
export CPATH=/apps/oracle/libpki-bugfixes/include

export LD_LIBRARY_PATH=/apps/oracle/libpki-bugfixes/lib64

make
and then I got the above error(s).
Jim


    On Monday, April 15, 2019, 2:49:19 PM UTC, o haya via Openca-ocspd <ope...@li...> wrote:  
 
  Hi Martin,
Ok, I will try that (build from the bugfixes branch download) on RHEL 6.10 and let you know (either way).
Jim

    On Monday, April 15, 2019, 8:22:44 AM UTC, Martin Hecht <he...@hl...> wrote:  
 
 Jim,

you can also try out the bugfixes branch of my fork of libpki at github:

https://github.com/mrbaseman/libpki/tree/bugfixes

if you encounter any further difficulties with that branch, please let
me know, so I can push commits with the fixes directly to the pull
request that I have opened in the official repo.

Martin



_______________________________________________
Openca-ocspd mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/openca-ocspd
  _______________________________________________
Openca-ocspd mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/openca-ocspd
  

Re: [Openca-ocspd] Building ocspd from files from github

[o h. <oh...@ya...>]

 Hi Martin,
Ok, I will try that (build from the bugfixes branch download) on RHEL 6.10 and let you know (either way).
Jim

    On Monday, April 15, 2019, 8:22:44 AM UTC, Martin Hecht <he...@hl...> wrote:  
 
 Jim,

you can also try out the bugfixes branch of my fork of libpki at github:

https://github.com/mrbaseman/libpki/tree/bugfixes

if you encounter any further difficulties with that branch, please let
me know, so I can push commits with the fixes directly to the pull
request that I have opened in the official repo.

Martin



_______________________________________________
Openca-ocspd mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/openca-ocspd