https://bz.apache.org/bugzilla/show_bug.cgi?id=62112
Bug ID: 62112
Summary: Make OCSP more configurable (like CRL)
Product: Apache httpd-2
Version: 2.4.29
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Created attachment 35733
--> https://bz.apache.org/bugzilla/attachment.cgi?id=35733&action=edit
diff file for my differences
The ocsp revocation is much less configurable than the CRL one. The option
SSLCARevocationCheck can be configured using the openssl options: none (no CRL
revocation), chain (full CRL revocation for the chain) and leaf (only
revocation for the last certificate, the user certificate). There is even a tag
no_crl_for_cert_ok that let you configure the revocation to not fail if no CRL
is found for the certificate. The OCSP configuration is just on (chain) or off
(none). Therefore not all the CRL configurations can be replaced by an OCSP
one.
I did a little proof to configure the SSLOCSPEnable just as the
SSLCARevocationCheck tag. The idea is the same:
SSLOCSPEnable on|chain|leaf|none|no flags
flags: no_ocsp_for_cert_ok
The values on and off are just added for compatibility and they mean chain and
none respectively.
In several situations I found the the OCSP configuration too strict for me and
I couldn't configure what the customer wanted with ocsp (usually only leaf
check, or just check OCSP if the certificate has the extension for it).
I tested the changes and it seems to work properly. What do you think? Do you
think it is useful?
Thanks!
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
