On Wed, Feb 28, 2001 at 10:17:59AM +0100, John Espen Hetty wrote:
> Just wanted to know if anyone else was using this option.
Check the list archive - quite a few people are using that feature.
I had some three or four thousand users (previous job).
> Regarding our trouble with two-way authentication; is seems that the server
> sometimes freezes, or that it sometimes insists on asking for the user
> sertificate (re-negotiation) on every request. There are some keep-alive
> problems as well. I really haven't figured out what causes this, so it might
> be something un-related to the web server, or perhaps it's just me goofing
> it up ;-)
This could have something to do with session caching and browser "features".
The "server freezes" is usually seen with Netscape Navigator - but that is
purely browser related, and will happen with all SSL servers requiring
client certs. Having to present the certificate for every request is usually
because session caching is failing - maybe you have SSLSessionCache none
instead of one of the shared memory based. If the having to re-negotiate
certs is after 1-2 minutes, then it could be the client that has timed out
the session (an msie feature). For keepalive trouble see the FAQ.
> As for CRL handling; there really should be an OCSP option. Some CA's
> doesn't publish their CRL's, but makes you look it up on their server. This
> means we have to have some sort of 'middle-ware' to do this job.
AFAIK there are not that many working implementations of OCSP, but it has
recently been added to openssl, so it wouldn't be too big a job to have the
same in mod_ssl. One thing to note is that using OCSP will add a significant
overhead!
> You seem a little agitated, there. No need to take this personally (unless
> it was you who made the thing, of course ;-)
I didn't write mod_ssl, but I like the software and your previous mail sure
looked like FUD.
> -Jon
> PS: As for prices on commercial CRL software; have you checked ? OK, its not
> a million bucks, but it's _expensive_.
Openssl handles CRL's and OCSP for only $0 ;-)
vh
Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
