Hi Alvaro,
OK, let me explain it better. The validation status of a client
certificate must be done via an OCSP request. That can be done via
scripting language -ie, PHP- but Apache, since version 2.3.x can do it
automatically with mod_ssl:
http://httpd.apache.org/docs/2.3/new_features_2_3.html
"mod_ssl can now be configured to use an OCSP server to check the
validation status of a client certificate. The default responder is
configurable, along with the decision on whether to prefer the responder
designated in the client certificate itself."
Even if the client -a browser- is able to do it's own OCSP queries,
validation of the client certificate should be done always at the server
side, for security reasons -for example someone trying to use a revoked
client certificate-. You can to it at the CGI level, but it will make life
easier to have the option of configuring it at the Cherokee -web server-
level, like Apache does in their last server version.
Does Cherokee allow -or will allow- to configure an OCSP responder to
validate client certificates?
On Thu, 25 Aug 2011 13:14:43 +0200, Alvaro Lopez Ortega
<[email protected]> wrote:
Hello Hugo,
2011/8/25 Hugo Vazquez Carames <[email protected]>
I would like to know if Cherokee supports OCSP validation of the client
certificate chain.
As far as I'm aware of, Cherokee doesn't have anything to do with OCSP.
There are just a couple of pieces of software involved. First, the
client -
usually a web browser - that may (or may not) perform a OCSP query.
Secondly, it is the OCSP server that is the one in charge of handling
those
queries.
Am I missing some other interaction with the Web server?
--
---------------------
Hugo Vázquez Caramés
"El trabajo que nunca se empieza es el que tarda más en finalizarse" (J.
R. R. Tolkien)
"La mayoría de las personas gastan más tiempo y energías en hablar de los
problemas que en afrontarlos" (Henry Ford)
========================================================
PENTEST Consultores
Tel: 93 3962070 / Fax: 93 3962001
e-mail: [email protected]
========================================================
Gane credibilidad y confianza, visite http://www.pentest.es
Este e-mail es confidencial y destinado únicamente a la persona a la cual
va dirigido. Si Ud. no es el destinatario al cual va dirigido este e-mail
o lo recibe por error, queda advertido que cualquier uso,
difusión,impresión o copia de este mensaje está estrictamente prohibido.
Si lo ha recibido por error, por favor, notifíquelo al remitente del
mensaje
This email is confidential and intended solely for the use of the
individual to whom it is addressed. If you are not the intended
recipient,be advised that you have received this email in error and that
any use,dissemination, forwarding, printing or copying of this email is
strictly prohibited. If you have received this email in error please
notify it to sender.
_______________________________________________
Cherokee mailing list
[email protected]
http://lists.octality.com/listinfo/cherokee
