NSLU2-Linux
view · edit · print · history

HowTo.BuildOCSPD History

Hide minor edits - Show changes to markup

July 15, 2009, at 01:19 PM by tlhackque --
Changed line 27 from:
 make LIBS="-lresolv -lnsl -lsasl2"
to:
 make LIBS="-lresolv -lnsl -lsasl2 -rpath /opt/lib"
July 11, 2009, at 06:31 PM by tlhackque --
Changed line 44 from:

+ if ps -p ${pid} ; then

to:

+ if ps -p ${pid} >/dev/null ; then

July 11, 2009, at 03:04 PM by tlhackque --
Changed line 51 from:
  • Edit your /opt/etc/ocspd.conf file see man ocspd.conf for details.
to:
  • Edit your /opt/etc/ocspd.conf file see man ocspd.conf for details. Suggestion: Set threads_num to something more reasonable, like 25. Also, create the ocspd user and group -- you can do this with the GUI so that they persist.
July 11, 2009, at 02:53 PM by tlhackque --
Changed lines 59-60 from:

By default, ocspd will listen on port 2560. If you also want to listen on port 80 & you have a webserver handy, do something like this: [=

to:

By default, ocspd will listen on port 2560. If you also want to listen on port 80 & you have a webserver handy, do something like this (apache): [@

Changed lines 71-72 from:

=]

to:

@]

July 11, 2009, at 02:52 PM by tlhackque --
Changed line 15 from:

[=

to:

[@

Changed line 20 from:

=]

to:

@]

Changed line 22 from:

[=

to:

[@

Changed line 24 from:

=]

to:

@]

Changed line 26 from:

[=

to:

[@

Changed line 28 from:

=]

to:

@]

Changed line 30 from:

[=

to:

[@

Changed line 32 from:

=]

to:

@]

Changed line 34 from:

[=

to:

[@

Changed line 50 from:

=]

to:

@]

Changed line 53 from:

[=

to:

[@

Changed lines 55-56 from:

=]

to:

@]

July 11, 2009, at 02:51 PM by tlhackque -- Formatting
Added line 15:

[=

Added line 20:

=]

Added line 22:

[=

Added line 24:

=]

Added line 26:

[=

Added line 28:

=]

Added line 30:

[=

Added line 32:

=]

Changed lines 34-35 from:

[@cd /opt/etc/init.d

to:

[= cd /opt/etc/init.d

Changed line 50 from:

@]

to:

=]

Changed lines 53-54 from:
  • /opt/etc/init.d/S43ocspd start
to:

/opt/etc/init.d/S43ocspd start

Changed line 60 from:
to:

[=

Changed lines 71-72 from:
to:

=]

July 11, 2009, at 02:45 PM by tlhackque -- Add page
Added lines 1-63:

The Online Certificate Status Protocol is used to provide the status of X.509 certificates in lieu of a CRL. OCSPD is a daemon that serves a CRL file using OCSP. This is handy if you are running your own CA.

Here's how to build it on a SLUG - I don't have time to make an IPKG for it at the moment, but it should be straighforward from this recipe.

This assumes that you have the native tools installed.

  • Get the OSCPD kit from http://www.openca.org/alby/download?target=openca-ocspd-1.5.1-rc1.tar.gz
  • Install the following ipkgs:
    • openssl
    • openssl-dev
    • openldap
  • Unzip the ocspd archive & cd to the ocspd-1.5.1-rc1 directory
  • setup the arm build environment, usually:
 export PATH=$PATH:/opt/bin:/share/hdd/data/tools/bin
 export LD_LIBRARY_PATH=/lib:/opt/lib:/usr/lib:/usr/local/lib:/opt/armeb/armv5b-softfloat-linux/lib
 export LDFLAGS=-L/usr/local/lib
 export C_INCLUDE_PATH=/usr/include:/usr/local/include:/opt/armeb/include:/opt/armeb/armv5b-softfloat-linux/include:/opt/armeb/armv5b-softfloat-linux/sys-include
  • Run configure with the following options:
 ./configure --prefix=/opt --with-openssl-prefix=/opt --with-ocspd-user=ocspd --with-ocspd-group=ocspd --with-openldap-prefix=/opt
  • Make requires a small tweak to get ocspd to link:
 make LIBS="-lresolv -lnsl -lsasl2"
  • Install
 make install
  • Change the startup file
cd /opt/etc/init.d
 mv ocspd S43ocspd
--- oscpd       2009-07-11 09:36:01.000000000 -0400
+++ S43ocspd    2009-07-11 09:53:20.000000000 -0400
@@ -57,7 +57,7 @@
                echo "stopped."
        else
                pid=`cat $pidfile`;
-               if test `ps -p ${pid}` ; then
+               if ps -p ${pid} ; then
                        echo "running ( $pid ) ... "
                else
                        echo "stopped."

ln -s S43ocspd K80ocspd
  • Edit your /opt/etc/ocspd.conf file see man ocspd.conf for details.
  • Edit /opt/etc/init.d/S43ocspd to reflect the location of your pidfile (suggest /opt/var/run/ocspd.pid)
  • /opt/etc/init.d/S43ocspd start

And you should be off.

By default, ocspd will listen on port 2560. If you also want to listen on port 80 & you have a webserver handy, do something like this:

    # Allow OCSP content for POST (If you have mod_security)
    SecRuleRemoveById? 960010

    # Proxy OCSP requests to the OCSP server
    #  -- Any POST with OCSP content
    #  -- /ocsp (for GET)

    ReWriteCond? %{HTTP:Content-Type} ^application/ocsp-request$ [OR]
    ReWriteCond? %{REQUEST_URI} ^/ocsp
        RewriteRule? ^/(.*) http://ocsp.litts.net:2560/$1 [P]

If you have difficultiy, start-verbose will log more information in /var/log/messages

Enjoy

view · edit · print · history · Last edited by tlhackque.
Originally by tlhackque.
Page last modified on July 15, 2009, at 01:19 PM