Skip to end of metadata
Go to start of metadata

How to enable support for Opera browsers that send OCSP requests and receive a response saying "Bad Request"

Background:

This problem occurs because by default Apache Tomcat disallows the use of the "%2F" character (i.e. URL encoded value of '/' character) for security reasons - attackers can get access to protected resources if this character is allowed. Click here for more details on this topic. See the below link for details on this topic.

Some versions of Opera generate OCSP GET request that contain the "%2F" character as part of URL encoded value of OCSP request. The information below shows how to configure Apache Tomcat to allow the use of "%2F" character so that requests can be processed successfully.

Solution: 

Look for the below given text in the "service.bat" file at the location: "[ADSS Server installation directory]/tomcat/bin"

 And modify this by appending ";-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true" as shown below:

Uninstall the "Ascertia-ADSS-Service" using the script "uninstall_service.bat" and install it again using the script "install_service.bat" (use an Admin privilege command prompt Window). This will solve the problem by adding a required registry entry in windows registries.

How to avoid a malformed request error when sending multiple certificate status requests in an OCSP request message?

In order for the OCSP Service to process multiple certificate IDs in a single OCSP request object the OCSP Service Advanced Settings need to be configured accordingly.  
Click here to learn more on how to configure the ADSS OCSP Service to process up to "n" certificate IDs in a single OCSP request.

Why does the first OCSP request after a restart take a long time to respond?

The first OCSP transaction takes additional time because the OCSP response signing key details are being retrieved from HSM / database.  For the subsequent OCSP calls, the OCSP response signing key alias is cached and thus the responses are processed much faster.  This is an expected behaviour and it only happens when the OCSP service is restarted.

How to configure ADSS Server OCSP service for optimum performance?

In an environment where the number of incoming OCSP requests are very high (e.g. over 500 requests per second), the OCSP responder should be configured to minimise internal processing overheads.

Click here to learn more about Optimising ADSS OCSP Server performance.

 

  • No labels