On Thu, Apr 08, 1999, Andrea e Luca Giacobazzi wrote:
> Hi everybody, my name is Andrea Giacobazzi, and i'm developing a patch for
> mod_ssl exactly in function ssl_engine_kernel.c (look at labels "Giacob") to
> realize an ocsp responder to verify client certificate, during client
> authentication. It works with LDAP directory v2 and look for the client cert
> in the directory: if it's present set ocsp status GOOD else set ocsp status
> SUSPENDED. you can change the dierctory name in ldapservers var.
>
> Anyone interested on it ? any hints ?
>
> I'd like to realize a complete ocsp responder for ldap, and also http then,
> compliant with IETF directives (see ocsp draft) and maybe include it in
> mod_ssl. I'd like also to submit the activation of ocsp check to the config
> file of apache server: how is possible to do that?
Looks interesting, but I see no reason why you've to patch such an OSCP
responder service directly into mod_ssl. With the help of EAPI it should be
trivial to form an own mod_ocsp.c out of your code. When I see it correctly,
all you need is that I add an EAPI hook to ssl_callback_SSLVerify() which
allows your module to be called while the certificate is verified by mod_ssl.
The whole processing then can be done entirely inside your mod_ocsp.c, because
it looks independent of mod_ssl/OpenSSL because it mainly deals with the LDAP
library, right? Even the ssl_var_lookup() function you use can still be called
via EAPI, of course.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]