Fyi, I added support for certificate validation through OCSP, where the OCSP server URI is contained in the certificate itself (following the X.509 standard).
The patch is available on http://issues.apache.org/bugzilla/show_bug.cgi?id=31383 (for 2.0.49, but most of it is in separate files, thus it should be easy to add to 1.3).
The check is optional.
There is also a parameter to decide if the authentication fails or not when the server cannot be reached.
The code allows conditional compilation (full code enclosed in #ifdef).
This was developed for the Belgium Government and distributed publicly from January 2004. No bug has been reported since.
The code supports a proxy, although the option was not added in the config file.
Another option in the config file could be to use a specified URI in case it is not present in the certificate.
If you have any remarks about it, just send me an e-mail.
Marc Stern
CSC Computer
Sciences Corporation Belgium
Security Solutions Group Manager / Network and System Architect
mobile: +32 (0)475 68 29 10 - Phone: +32 (0)2
714 74 91
e-mail: [EMAIL PROTECTED] - fax: +32 (0)2 714 71
01
Hippokrateslaan,14 - B-1932 Sint-Stevens-Woluwe -
Belgium
----------------------------------------------------------------------------------------
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit written
agreement or government initiative expressly permitting the use of e-mail
for such purpose.
----------------------------------------------------------------------------------------
