Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

ocsp through proxy

2,044 views
Skip to first unread message

Fernando Ruza Rodriguez

unread,
Oct 29, 2010, 7:17:10 AM10/29/10
to
Hi,

We use openssl ocsp to make certificate checks in an application inside
our company and openssl has to do the check through the company proxy.
We have seen that openssl doesn't use httt_proxy environment variable
neither use any parameter to use proxy. Also, we have seen that squid
(which is the proxy our company use) doesn't implement ocsp protocol
(http://devel.squid-cache.org/ssl/), I think.

Is there any way to use ocsp through a squid proxy ??

As openssl doesn't support proxy I've managed to tunnel it through our
proxy with proxychains (http://proxychains.sourceforge.net/) and we
received the following error message in our squid log:

127.0.0.1 - - [29/Oct/2010:12:27:39 +0200] "CONNECT 213.170.35.240:80
HTTP/1.0" 403 1440 "-" "-" TCP_DENIED:NONE

We've tested it with the following commands and both gives the same
results:

proxychains openssl ocsp -CAfile /tmp/acraiz-dnie.cer
-issuer /tmp/7c76ee6e3713d8a54bdcb39ff4237fc6cert_i.pem
-cert /tmp/7c76ee6e3713d8a54bdcb39ff4237fc6cert_c.pem -url
http://ocsp.dnie.es

proxychains openssl ocsp -CAfile /tmp/acraiz-dnie.cer
-issuer /tmp/7c76ee6e3713d8a54bdcb39ff4237fc6cert_i.pem
-cert /tmp/7c76ee6e3713d8a54bdcb39ff4237fc6cert_c.pem -host
ocsp.dnie.es:80 -url http://ocsp.dnie.es

Thanks for any clue and regards,

Fernando.

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

jose javier

unread,
Dec 13, 2010, 6:56:03 AM12/13/10
to
Good morning
The solution is:

openssl ocsp -CAfile /etc/ssl/certs/acraiz-dnie.cer -issuer /tmp/
919861e5688280242ba2bf0015d3fd7acert_i.pem -cert /tmp/
919861e5688280242ba2bf0015d3fd7acert_c.pem -host proxy.dominio.es:8080
-path http://ocsp.dnie.es/

On 29 oct, 12:17, fernan...@sescam.jccm.es (Fernando Ruza Rodriguez)
wrote:


> Hi,
>
> We use openssl ocsp to make certificate checks in an application inside
> our company and openssl has to do the check through the company proxy.
> We have seen that openssl doesn't use httt_proxy environment variable
> neither use any parameter to use proxy. Also, we have seen that squid
> (which is the proxy our company use) doesn't implement ocsp protocol
> (http://devel.squid-cache.org/ssl/), I think.
>
> Is there any way to use ocsp through a squid proxy ??
>
> As openssl doesn't support proxy I've managed to tunnel it through our
> proxy with proxychains (http://proxychains.sourceforge.net/) and we
> received the following error message in our squid log:
>
> 127.0.0.1 - - [29/Oct/2010:12:27:39 +0200] "CONNECT 213.170.35.240:80
> HTTP/1.0" 403 1440 "-" "-" TCP_DENIED:NONE
>
> We've tested it with the following commands and both gives the same
> results:
>
> proxychains openssl ocsp -CAfile /tmp/acraiz-dnie.cer
> -issuer /tmp/7c76ee6e3713d8a54bdcb39ff4237fc6cert_i.pem

> -cert /tmp/7c76ee6e3713d8a54bdcb39ff4237fc6cert_c.pem -urlhttp://ocsp.dnie.es


>
> proxychains openssl ocsp -CAfile /tmp/acraiz-dnie.cer
> -issuer /tmp/7c76ee6e3713d8a54bdcb39ff4237fc6cert_i.pem
> -cert /tmp/7c76ee6e3713d8a54bdcb39ff4237fc6cert_c.pem -host

> ocsp.dnie.es:80 -urlhttp://ocsp.dnie.es


>
> Thanks for any clue and regards,
>
> Fernando.
>
> ______________________________________________________________________
> OpenSSL Project                                http://www.openssl.org

> User Support Mailing List                    openssl-us...@openssl.org
> Automated List Manager                           majord...@openssl.org

0 new messages