Classification: UNCLASSIFIED Caveats: NONE
Thank you François! --- Dwight Victor, CISSP (Contractor) TEL: (808) 653-3677 ext 229 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 11, 2006 10:14 PM To: modssl-users@modssl.org Subject: Re: OCSP? (UNCLASSIFIED) http://www.belgium.be/zip/eid_authentication_proxy_fr.html You will find there an updated version of mod-ssl including OCSP check as well as the documentation to set it up. 2006/10/11, Victor, Dwight P CTR DISA PAC <[EMAIL PROTECTED]>: > Classification: UNCLASSIFIED > Caveats: NONE > > Hi Eriks, > > Thanks for the tip regarding Tumbleweed & WebCullis. I'll definitely > have to do some research. > > Paul, > > One of my web searches pulled up the fact that HP-UX has a OCSP > enabled version of mod_ssl. Seems to be a lucky break for you. Hope > that works out. > > I have experienced a large memory hit anytime certificate checking is > performed against the CRLs (some of which are 13 MB in size) in the > range of 75MB per Apache server instance. Luckily we aren't that > busy, or we would definitely be feeling the pain. > > BTW, I've been reading a bit about mod_nss > (http://directory.fedora.redhat.com/wiki/Mod_nss). This module sounds > interesting, but it isn't supported on HP-UX. I'll have to give it a > try and I'll let the list know the results (if I can find some time to > play with it). > Thanks again, > > Dwight... > > --- > Dwight Victor, CISSP (Contractor) > EMAIL: [EMAIL PROTECTED] > SMAIL: [EMAIL PROTECTED] > TEL: (808) 653-3677 ext 229 > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 11, 2006 10:55 AM > To: modssl-users@modssl.org > Subject: RE: OCSP? (UNCLASSIFIED) > > > Thanks Eriks, appreciate the info. We are using HP-UX, so the > Tumbleweed solution won't work for us. We do have an HP version of > Apache that has the OCSP mod of mod_ssl, but we just installed it > (today) and haven't had a chance to look at the documentation yet. > Will post back and let you know what we found out. Thanks again. > > Paul > > > Richters, Eriks A wrote: > > > > I went down this road a few months ago. Someone wrote a patch that > > would add OCSP client functionality to Apache, but the patch never > > got folded into the Apache mainline code. We spent a bit of effort > > trying to get the patch to work with our version of Apache with no luck. > > There are two products from commercial organizations out there that > > can help. One is from Tumbleweed, called Server Validator. It's > > pricey about $2000 per server, but works pretty well. Its very easy > > to install and configure and has some nice features for supporting > > OCSP and failing over to CRLs. It is supported on several platforms. > > The other product is called WebCullis from the organization that > > used to be Orion Security. (Orion Security has since been bought by > > Entrust.) It used to be under the GPL, which was nice. At the time, > > they only had a version for Windows and Intel based Solaris. > > I hope this helps. > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of pbains > > Sent: Wednesday, October 11, 2006 4:32 PM > > To: modssl-users@modssl.org > > Subject: Re: OCSP? (UNCLASSIFIED) > > > > > > My organization is headed down this road after experiencing > > performance degradation from checking large CRLs. As we come up with > > a solution, will post what I find out. Alternatively, if you have > > any information, would appreciate it, thanks! > > > > Paul > > > > > > Victor, Dwight P CTR DISA PAC wrote: > >> > >> Classification: UNCLASSIFIED > >> Caveats: NONE > >> > >> > >> Hello List! > >> > >> Has anyone had any experience/success with using mod_ssl + Apache > >> v2 > > to > >> query an OCSP responder regarding the status of an end-user > >> provided certificate and allow/deny access based on the response? > >> Any tips, suggestions, discussion would be appreciated. > >> > >> Best Regards, > >> > >> Dwight... > >> > >> --- > >> Dwight Victor, CISSP (Contractor) > >> Systems Administrator / Webmaster > >> General Dynamics C4 Systems > >> EMAIL: [EMAIL PROTECTED] > >> TEL: (808) 653-3677 ext 229 > >> > >> Classification: UNCLASSIFIED > >> Caveats: NONE > >> > >> > >> > >> > > > > -- > > View this message in context: > > http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.html#a67641 > > 47 Sent from the mod_ssl - Users mailing list archive at Nabble.com. > > > > ______________________________________________________________________ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List modssl-users@modssl.org > > Automated List Manager [EMAIL PROTECTED] > > > > ______________________________________________________________________ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List modssl-users@modssl.org > > Automated List Manager [EMAIL PROTECTED] > > > > > > -- > View this message in context: > http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.html#a6764600 > Sent from the mod_ssl - Users mailing list archive at Nabble.com. > > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager [EMAIL PROTECTED] > Classification: UNCLASSIFIED > Caveats: NONE > > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED] Classification: UNCLASSIFIED Caveats: NONE ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]
