sl@0: The oscpResponder.pl script requires the ocsp responder to support DSA
sl@0: 
sl@0: the following patch can be applied to openssl 0.9.7b or 0.9.7c:
sl@0: 
sl@0: --- openssl-0.9.7b.ORIG/apps/ocsp.c	2003-03-26 02:47:06.000000000 +0200
sl@0: +++ openssl-0.9.7b/apps/ocsp.c	2004-02-22 16:11:18.000000000 +0200
sl@0: @@ -1115,7 +1115,16 @@
sl@0:  
sl@0:  	OCSP_copy_nonce(bs, req);
sl@0:  		
sl@0: -	OCSP_basic_sign(bs, rcert, rkey, EVP_sha1(), rother, flags);
sl@0: +	{
sl@0: +		/*in case of DSA keys we should use EVP_dss1()*/
sl@0: +		const EVP_MD *evp_md;
sl@0: +		/*
sl@0: +		 * - EVP_dss1 only or can be EVP_dss for some DSA keys ?
sl@0: +		 * - should we use method EVP_PKEY_type() ?
sl@0: +		 */
sl@0: +		evp_md = (rkey->type == EVP_PKEY_DSA) ? EVP_dss1() : EVP_sha1();
sl@0: +		OCSP_basic_sign(bs, rcert, rkey, evp_md, rother, flags);
sl@0: +	}
sl@0:  
sl@0:  	*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
sl@0: