Thread: Sysupdate command not working
View Single Post
  #12   (View Single Post)  
Old 29th November 2022
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
  
Join Date: May 2008
Location: USA
Posts: 7,984
Default
I can't spell. It's OCSP: https://en.wikipedia.org/wiki/Online...tatus_Protocol.

OpenBSD's built-in web server httpd(8) supports OCSP stapling. Here's an example httpd.conf(5) fragment from one of my servers:
Code:
server "<redacted>" {
        alias "<www.redacted>"
        listen on * tls port https
        hsts
        tls certificate "/etc/ssl/acme/fullchain.pem"
        tls key "/etc/ssl/acme/private/privkey.pem"
        tls ocsp "/etc/ssl/acme/cert.der"
        location "/.well-known/acme-challenge/*" {
                root "/acme"
                request strip 2
        }
This server runs OpenBSD's ocspcheck(8) utility daily for certificate validation against the certificate authority's responder.

OSCP stapling is time-dependent and (nearly) correct time is required, which is why incorrect clocks cause failures. https://en.wikipedia.org/wiki/OCSP_stapling
Last edited by jggimi; 29th November 2022 at 03:08 PM. Reason: added time-dependent comment and stapling link
Reply With Quote