NSLU2-Linux
- FAQ: Frequently Asked Questions
- Donations
- Downloads
- Trac Bug Tracker
- Package Search Engine
- All Recent Wiki Changes
General
- HowTo Recipes
- Cool Peripherals
- Cool Applications
- Information Pages
- Ideas and Wish List
- Slug Success Stories
- Slug-Related Articles
- Project Mailing Lists
- Project IRC Channels
- Donations and Sponsors
- NSLU2-Linux Photo Gallery
OS/Firmware Projects
- NSLU2-Linux Development
- How Do I Get Involved?
- Unslung Firmware
- Debian Installation
- SlugOS Firmware
- OpenSlug Firmware
- SlugOS/LE Firmware
- OpenWrt Firmware
- Angstrom Firmware
- UcSlugC Firmware
- GentooSlug Firmware
- UpSlug Upload Tool
- Puppy Topfield Access
Firmware Targets
Optware
Optware Targets
Other Hardware
Wiki Resources
Sponsored Links
hosting by:
The Online Certificate Status Protocol is used to provide the status of X.509 certificates in lieu of a CRL. OCSPD is a daemon that serves a CRL file using OCSP. This is handy if you are running your own CA.
Here's how to build it on a SLUG - I don't have time to make an IPKG for it at the moment, but it should be straighforward from this recipe.
This assumes that you have the native tools installed.
- Get the OSCPD kit from http://www.openca.org/alby/download?target=openca-ocspd-1.5.1-rc1.tar.gz
- Install the following ipkgs:
- openssl
- openssl-dev
- openldap
- Unzip the ocspd archive & cd to the ocspd-1.5.1-rc1 directory
- setup the arm build environment, usually:
export PATH=$PATH:/opt/bin:/share/hdd/data/tools/bin export LD_LIBRARY_PATH=/lib:/opt/lib:/usr/lib:/usr/local/lib:/opt/armeb/armv5b-softfloat-linux/lib export LDFLAGS=-L/usr/local/lib export C_INCLUDE_PATH=/usr/include:/usr/local/include:/opt/armeb/include:/opt/armeb/armv5b-softfloat-linux/include:/opt/armeb/armv5b-softfloat-linux/sys-include
- Run configure with the following options:
./configure --prefix=/opt --with-openssl-prefix=/opt --with-ocspd-user=ocspd --with-ocspd-group=ocspd --with-openldap-prefix=/opt
- Make requires a small tweak to get ocspd to link:
make LIBS="-lresolv -lnsl -lsasl2 -rpath /opt/lib"
- Install
make install
- Change the startup file
cd /opt/etc/init.d
mv ocspd S43ocspd
--- oscpd 2009-07-11 09:36:01.000000000 -0400
+++ S43ocspd 2009-07-11 09:53:20.000000000 -0400
@@ -57,7 +57,7 @@
echo "stopped."
else
pid=`cat $pidfile`;
- if test `ps -p ${pid}` ; then
+ if ps -p ${pid} >/dev/null ; then
echo "running ( $pid ) ... "
else
echo "stopped."
ln -s S43ocspd K80ocspd
- Edit your /opt/etc/ocspd.conf file see man ocspd.conf for details. Suggestion: Set threads_num to something more reasonable, like 25. Also, create the ocspd user and group -- you can do this with the GUI so that they persist.
- Edit /opt/etc/init.d/S43ocspd to reflect the location of your pidfile (suggest /opt/var/run/ocspd.pid)
/opt/etc/init.d/S43ocspd start
And you should be off.
By default, ocspd will listen on port 2560. If you also want to listen on port 80 & you have a webserver handy, do something like this (apache):
# Allow OCSP content for POST (If you have mod_security)
SecRuleRemoveById 960010
# Proxy OCSP requests to the OCSP server
# -- Any POST with OCSP content
# -- /ocsp (for GET)
ReWriteCond %{HTTP:Content-Type} ^application/ocsp-request$ [OR]
ReWriteCond %{REQUEST_URI} ^/ocsp
RewriteRule ^/(.*) http://ocsp.litts.net:2560/$1 [P]
If you have difficultiy, start-verbose will log more information in /var/log/messages
Enjoy