CAcert now has a fully functioning OCSP setup

CAcert now has an operational OpenCA (RFC compliant) OCSP Responder. All the certificates that were issued after 2005-05-16 should have the OCSP Service URL automatically included, and your OCSP client should check periodically for certificate status. The OCSP responder issues signed responses over http, (the OCSP address is not a normal website and you can only connect to it with an OCSP client, such as OpenSSL) once your client is running you can tell it to connect to http://ocsp.cacert.org or http://ocsp.cacert.org:2560.

To activate OCSP in firefox use the below settings.

  • Click on the Tools menu, then select Options.
  • After the Options window appears, select Advanced.
  • Scroll down until you get to the Validation section, OCSP will be the last option.
  • By default “Do not use OCSP for certificate Validation” is selected. Change to the second option, “Use OCSP to validate only certificates that specify an OCSP service URL”.
  • Click OK to close the Options window.

We run our OCSP Responder on port 2560 (OpenCA default), we also make this available as a vHost in Apache on port 80, which will be important for anyone stuck behind a firewall and unable to connect to ports other then 80 or 443.

We now issue all certificates with the OCSP Responder URI address listed as http://ocsp.cacert.org and we plan to distributed servers around the world via round-robin DNS. If/when load or bandwidth become a problem in the future, we can simply add more OCSP responders in a similar fashion to adding secondary name servers (DNS), and it would seem things could easily be made highly distributed with our current configuration.

Due to the threat model used in developing the RFC for OCSP, high availability will be a key issue in running/maintaining OCSP services. Any clients with OCSP turned on will fail to connect to any site whose certificate doesn’t have a valid OCSP response. As far as I’m aware mozilla products currently do not have any form of OCSP caching, so reading signed/encrypted email on a plane in Thunderbird could be difficult at this point in time. Microsoft is apparently developing an OCSP client for it’s next version of Windows/MSIE that apparently does some caching, although it will be interesting to see how well this works.

2 thoughts on “CAcert now has a fully functioning OCSP setup

  1. Dan

    FYI, Firefox (and presumably all Mozilla-based products) can’t handle OCSPs and proxies at the same time. So, if you have to use a proxy server, OCSPs won’t work. Here’s the cryptic error message I received after enabling OCSPs in Firefox:

    Error establishing an encrypted connection to ****.com. Error Code: -5990.

    (domain name removed)

    There are a couple of bugs related to this:

    https://bugzilla.mozilla.org/show_bug.cgi?id=111384
    https://bugzilla.mozilla.org/show_bug.cgi?id=220974

  2. Duane Post author

    The only time I received that error is if I tried to manually set the OCSP address, if I set it to use OCSP if it exists it still worked with my proxy (squid)

Leave a Reply