Andrea e Luca Giacobazzi wrote:
>
> I need and ocsp responder that works with ldap directory INTERNAL because
> the organization of Modena municipality, i'm working for them, put
> certificate on ldap directory.
> (on the intranet). In my context, the client is the server apache that need
> to verify
> the client certificate status during client auth, the responder is the
> module that i'm creating for mod_ssl, or maybe it can be in open-ssl, i'm
> thinking on it. But i think it's better mod_ssl
> to perform different kind of access to the server, depending on the cert
> status.
> i.e. if th cert is suspended you can only access to a small part of
> application on
> server (as cgi-bin that alert you about the cert status).
> Then i'd like to have also http ocsp for completing.
> tell me what you think about it.
I begin to understand your problem.
Here are some random remark about this:
1/ As you said, if you need access to some page, you could implement
that simply using a php header at the begining of each of your php page.
No need for ocsp here. The authentication is thus done in each page and
you can have different action in funtion of the status of the
certificate (suspended, revoked or valid). This is very simple to do but
work only for you.
2/ You need a way to put the status in ldap, wich does not exist in pkix
of course. The problem is that in ldap certificate is in the entry of
the end entity which could have several certificate (as a multi valued
attribute). It is not enough to see if there is a certificate.
3/ The ocsp responder respond to request of mod-ssl, thus you should not
implement responder in mod-ssl as explain ocsp draft:
3. Protocol Overview
In lieu of or as a supplement to checking against a periodic CRL, it
may be necessary to obtain timely status regarding a certificate's
state (cf. [PKIX1], Section 3.3). Examples include high-value funds
transfer or large stock trades.
The Online Certificate Status Protocol (OCSP) enables applications to
determine the state of an identified certificate. OCSP may be used to
satisfy some of the operational requirements of providing more timely
revocation information than is possible with CRLs and may also be
used to obtain additional status information. An OCSP client issues a
status request to an OCSP responder and suspends acceptance of the
certificate in question until the responder provides a response.
This protocol specifies the data that needs to be exchanged between
an application checking the status of a certificate and the server
providing that status.
=> mod-ssl is the Ocsp client and the Ocsp responder is just a cgi
running on an http(s) serveur.
4/ The OCSP client should anyway be implemented in openssl because it is
part of certificate verification. But that mean you need an ldap or http
library in openssl to be able to contact the OCSP responder. I don't
know.
Marc
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
