Posted by & filed under Opensource, Security, Thoughts.

So I have been doing some OCSP performance bench-marking the last few weeks, one of the things we noticed while doing this is that OpenSSL does not set the HOST header when sending requests.

This is a problem when interacting with a OCSP responder that is on a shared host (a virtual host), without it the web-server doesn’t know which instance to send the request to. You can work around this by using the “-header” command, for example:

openssl ocsp -noverify -no_nonce -respout ocspglobalsignca.resp -reqout ocspglobalsignca.req -issuer globalsigng2.cer -cert globalsign.com.cer -url “http://ocsp2.globalsign.com/gsextendvalg2“ -header “HOST’” “ocsp2.globalsign.com”

You need to ensure the HOST header is set consistently with the host contained in the -url switch but it works.

Ryan

3 Responses to “Setting HTTP headers with OpenSSL and the OCSP test client”

  1. Gabriele

    Hi,
    I can’t find any realese of openssl that support the option header. Can you share info about it ?

    • rmhrisk

      Its been supported since around 9.8 but they never added it to the help menu, its there just give it a try.

  2. Gabriele

    ok thank you
    in 1.0 work great
    (on Mac 10.8 that include OpenSSL 0.9.8r 8 Feb 2011 doesen’t work)

Leave a Reply

  • (will not be published)