I-Space Research Labs

Tech Stuff

How to set up OCSP using OpenSSL

by on Feb.26, 2012, under Security, Tech Stuff

Like a lot of Open Source projects, while there are *tons* of documentation on OpenSSL, there is a dearth of useful documentation. It seems like everyone in the know assumes that everyone else is also in the know. I don’t know. But what I do know is how to set up OpenSSL to use OCSP. If you’re a good CA admin, you’re dutifully revoking certificates, regenerating your CRL, and making it available for your servers to download and enjoy. That’s the Old Way. The New Way is to use OCSP… in all reality, I doubt a lot of people are even revoking certs, much less needing to check if one that they issued has been revoked, but hey… it’s cool and you get to have bragging rights to all your geek friends.

Assuming that you already have an OpenSSL Certificate Authority set up, you will need to make a couple of changes to your openssl.cnf file. Add a new line to the usr_cert stanza

[ usr_cert ]
authorityInfoAccess = OCSP;URI:http://<uri to server>

create a new stanza

[ v3_OCSP ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = OCSPSigning

For this example, the OCSP server will be running on ca.isrlabs.net on port 8888, so the authorityInfoAccess line will look like:

authorityInfoAccess = OCSP;URI:http://ca.isrlabs.net:8888

This line will add a new attribute to issued certs that tells clients where the CA’s OCSP server is located so it can check the validity of the cert. The new v3 template assigns a neccesary attribute “OCSPSigning” to any certificate issued under this template. We will need to issue an OCSP signing certificate to the OCSP server with the OCSPSigning attribute, otherwise signature verification will fail when a cert is being checked. This is the first thing we will do:

openssl req -new -nodes -out ca.isrlabs.net.csr -keyout ca.isrlabs.net.key -extensions v3_OCSP

Sign the request with the CA signing key:

openssl ca -in auth.isrlabs.net.csr -out auth.isrlabs.net.crt -extensions v3_OCSP

OpenSSL should show the signing request, look for this in the X509v3 extensions:

X509v3 Extended Key Usage:
OCSP Signing

Sign and commit the request. Now, issue a throwaway cert and sign it

openssl req -new -nodes -out dummy.isrlabs.net.csr -keyout dummy.isrlabs.net.key

openssl ca -in dummy.isrlabs.net.csr -out dummy.isrlabs.net.crt

Next, start up the OCSP server.

openssl ocsp -index /etc/pki/CA/index.txt -port 8888 -rsigner ca.isrlabs.net.crt -rkey ca.isrlabs.net.key -CA /etc/pki/CA/cacert.pem -text -out log.txt

 Once the dummy cert has been been issued and the OCSP server started, we can test the cert using the “openssl ocsp” command. To verify a certificate with OpenSSL, the command syntax is:

openssl ocsp -CAfile <cafile pem> -issuer <issuing ca pem> -cert <certificate to check> -url <url to OCSP server> -resp_text

So to test our dummy file:

openssl ocsp -CAfile cacert.pem -issuer cacert.pem -cert dummy.isrlabs.net.crt -url http://ca.isrlabs.net:8888 -resp_text

There’s going to be a large block of text flooding the screen. Some of the more important text:

OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response

Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 922CD93C975EDC121DB25B1A55BA9B544E06F9B3
Issuer Key Hash: 322A8DBF79BE1A934543DC4F24FC69220A2803BA
Serial Number: 06
Cert Status: good

Response verify OK

dummy.isrlabs.net.crt: good
This Update: Feb 27 00:55:54 2012 GMT

Now revoke the cert, regenerate the CRL and restart the OCSP server (the server must be restarted every time a cert is issued or revoked). If the OCSP signing certificate was not issued with the OCSPSigning attribute, OpenSSL will gripe that the verification did not work properly. Reissue the signing cert with the OCSPSigning attribute for the server.

openssl ca -revoke /etc/pki/CA/newcerts/06.pem

openssl ca -gencrl -out /etc/pki/CA/crl.pem

Now we can verify the certificate again:

openssl ocsp -CAfile /etc/pki/CA/cacert.pem -issuer /etc/pki/CA/cacert.pem -cert dummy.isrlabs.net.crt -url http://ca.isrlabs.net:8888 -resp_text

OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response

Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 922CD93C975EDC121DB25B1A55BA9B544E06F9B3
Issuer Key Hash: 322A8DBF79BE1A934543DC4F24FC69220A2803BA
Serial Number: 06
Cert Status: revoked
Revocation Time: Feb 27 01:07:36 2012 GMT
This Update: Feb 27 01:12:08 2012 GMT

Response verify OK
dummy.isrlabs.net.crt: revoked
This Update: Feb 27 01:12:08 2012 GMT
Revocation Time: Feb 27 01:07:36 2012 GMT

 If you were to install this cert on a website, and the CA certificate was installed, any modern browser should refuse to connect to the site as the cert has been revoked.

Leave a Comment :, more...

ISCSI diskless workstations

by on Oct.29, 2010, under ISCSI, Tech Stuff

Wow, been a long time since I posted on here, and looking at the previous post… I had just gotten promoted and I was full of optimism that was going to Change the World. Well, eventually reality has its way of rudely awakening people, and gosh… well at least I’m back doing what I do best, which is building and fixing things.

So what have I been cooking up lately? Diskless ISCSI workstations. A PC without a hard drive installed internally, but still has a block device for storage because it has an ISCSI drive mounted across the network. After a few false starts, it’s surprisingly easy to do with any RedHat 5.1 or later.

(continue reading…)

Leave a Comment :, , more...

The coolness of SELinux

by on Aug.17, 2009, under SELinux, Tech Stuff

selinuxAfter spending a week in Washington learning the darkest secrets of SELinux, I can see why a lot of people “just turn it off”. This is terrible. SELinux can save your @$$ in the event that you get hit with a 0-day. Most admins don’t understand SELinux, other than that “it breaks stuff”, and just disable it. It’s understandable, since most people don’t work for the DoD or other agencies where Mandatory Access Controls are used. SELinux is not Discretionary Access Control Lists (DACLs) like in Windows, or UGO- style controls in Unix… or even POSIX ACLs. SELinux labels are much more powerful. Properly configured and running, SELinux can prevent root from doing everyday root things like cat’ing /etc/shadow. So imagine what SELinux can do if someone pops your webserver. Without SELinux, they would have the access privileges of the Apache user. But with SELinux, they can only access files and ports that the underlying httpd process is allowed to access.

So let’s try to pull the veil of mystery back on SELinux…. (continue reading…)

Leave a Comment : more...

More GFS tuning

by on Jun.25, 2009, under GFS, Tech Stuff

Finally had some time to do some more GFS tuning on my test cluster.

First thing I’ve discovered that even writing small (~1Mb) files, using directio cuts your throughput in half. It’s fail, don’t use it. Same with data journaling. Don’t bother.

But where the SWEET stuff is with glock_purging and demote_secs. On a 100Mbps network connection to an old cranky Dell workstation with the iSCSI target running… 3 servers writing 1000 1-Mb files to random locations on the GFS filesystem, I saw up to 6.8Mb throughput on all 3 servers at the same time. Hopefully I’ll get some real SAN hardware soon so I can get some real performance.

The two parameters are glock_purge and demote_secs. You set them with:

gfs_tool settune /my/gfs glock_purge X

gfs_tool settune /my/gfs demote_secs X

glock_purge accepts an argument that tells gfsd what percentage of unused locks to purge every 5 seconds. Redhat recommends starting at 50 and working your way up. I’m currently pushing 90 right now, but I think that may be a bit too aggressive, but then I’m just doing some benchmarking. Production may turn out to be different.

demote_secs is the number of seconds that gfsd will wake up and demote locks and flush data to disk. So it stands that a lower number may be beneficial. I’m currently at 5, but this may be too silly, but I like to see what the extremes look like as I dial in. The default is 300 seconds.

You can read more about them here

Here’s how I set up my mounts on all 3 servers:

mount -t gfs /dev/myvg/mygfs /mnt/gfs -o acl,noatime,nodiratime

gfs_tool settune /mnt/gfs statfs_fast 1

gfs_tool settune /mnt/gfs glock_purge 90

gfs_tool settune /mnt/gfs demote_secs 5

Remember these numbers are probably not good for production.

On one of the servers, I do a little for loop to set up the test:

for i in {1..1000}; do mkdir /mnt/gfs/$i;done

This creates 1000 folders on the gfs mount.

Then a short bash script:

## gfshammer.sh

##GFS testing script. Yay.


echo “Starting: “`date`>>~/timefile

for i in {1..1000}


NUM=`let R=$RAND%1000;echo $R`

SIZE=`let S=$RAND%1000;echo $S`


dd if=/dev/urandom of=/mnt/gfs/$NUM/test$i bs=1024 count=$MYCOUNT


This will creat randomly sized files full of random data in random places on the GFS filesystem. I ran this on all 3 nodes at the same time and saw lows of 4MB/sec to highs of 6.8MB/sec, usually around 6MB/sec. That ain’t bad given the underlying infrastructure: 100Mbps LAN, single spindle on an old workstation. I think at this point I’m being bottlenecked by the network. I was getting around 6MB/sec with just a single node without any glock tuning the other day, so this seems like a big jump forward.

Also, I tried GFS2, and I’m sad to report that its performance is nowhere near what I was getting with GFS. I can’t tune glocks as GFS2 is supposed to be self-tuning, but I saw a pretty significant drop in throughput when I tried it, so back to GFS we go…

Leave a Comment :, more...

GFS Tuning and Iran

by on Jun.24, 2009, under GFS, Tech Stuff

I’m not surprised that the Iranian government stacked the deck and tried to screw their own people over. People who are in power illegitimately ususally go to any means to ensure that they STAY in power. I’m also disappointed in our own talking heads, especially McCain, who think that we should be charging in somehow and fixing this for the Iranians. Because it worked so well in Iraq. A democracy that is forced on people isn’t a democracy. Countries like Iraq, who have spent the last few decades under the opressive rule of a dictator, they don’t know what to do with the democracy they’ve been given. The fate of the Iranian people lies in their own hands, all we can do as a responsible nation is to make sure that they don’t get all machinegunny on their own people.

Anyway, today’s topic is….GFS tuning. I was doing some benchmarking with a cluster of three nodes all tied back to a shared GFS filesystem that is shared via iSCSI. I don’t think the underlying network is gigabit, likely Fast Ethernet and the iSCSI server is a measly little workstation. With the default parameters, I was getting initially 5 megabytes/sec dd’ing /dev/urandom to a file until it was a gigabyte in size. Once we had that baseline down, I did a few tests. This is the standard command I used on all my tests:

dd if=/dev/urandom of=/my/gfs/file bs=1024 count=1000000 <- Random garbage of about a gig in size

(continue reading…)

Leave a Comment :, more...

Clustering made EZ

by on Jun.02, 2009, under Clustering, Tech Stuff

I’m going to be a little helpful and explain how to do clustering on Redhat Linux. This should also work for Fedora and CentOS. But don’t ask me about other distros, I don’t use them.

First, some definitions. When I say clustering, I’m talking about high availability. Not parallel or cloud computing. Not that tired old joke “Imagine a Beowulf cluster of that! HAWHAWHAW”.

/SLAP! God, I hate Slashdotters.

When we’re talking clustering, we’re talking about making things highly available by throwing 2 or more computers at providing some kind of service, be it a file share, application, etc… We’re also not talking about load balancing, that’s something else in the Redhat world (Pirhana). (continue reading…)

Leave a Comment :, , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...


All entries, chronologically...