Thank you François! After reading the documentation and looking at the Apache
developer's notes, I am still not clear on how to specify an OCSP responder
if the responder URI is not included in the responder's certificate. From
the Apache developer's notes, I think it is via a configuration option in
ssl.conf, but I have not seen an example, only misc notes. Does anyone know
how to do this? We would like to be able to specify a specific responder if
the URI is not contained in the server's cert. Thanks in advance.

Paul


François Soumillion wrote:
> 
> http://www.belgium.be/zip/eid_authentication_proxy_fr.html
> 
> You will find there an updated version of mod-ssl including OCSP check
> as well as the documentation to set it up.
> 
> 2006/10/11, Victor, Dwight P CTR DISA PAC <[EMAIL PROTECTED]>:
>> Classification:  UNCLASSIFIED
>> Caveats: NONE
>>
>> Hi Eriks,
>>
>> Thanks for the tip regarding Tumbleweed & WebCullis.  I'll definitely
>> have
>> to do some research.
>>
>> Paul,
>>
>> One of my web searches pulled up the fact that HP-UX has a OCSP enabled
>> version of mod_ssl.  Seems to be a lucky break for you.  Hope that works
>> out.
>>
>> I have experienced a large memory hit anytime certificate checking is
>> performed against the CRLs (some of which are 13 MB in size) in the range
>> of
>> 75MB per Apache server instance.  Luckily we aren't that busy, or we
>> would
>> definitely be feeling the pain.
>>
>> BTW, I've been reading a bit about mod_nss
>> (http://directory.fedora.redhat.com/wiki/Mod_nss).  This module sounds
>> interesting, but it isn't supported on HP-UX.  I'll have to give it a try
>> and I'll let the list know the results (if I can find some time to play
>> with
>> it).
>> Thanks again,
>>
>> Dwight...
>>
>> ---
>> Dwight Victor, CISSP (Contractor)
>> EMAIL: [EMAIL PROTECTED]
>> SMAIL: [EMAIL PROTECTED]
>> TEL:   (808) 653-3677 ext 229
>>
>> -----Original Message-----
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED]
>> Sent: Wednesday, October 11, 2006 10:55 AM
>> To: modssl-users@modssl.org
>> Subject: RE: OCSP? (UNCLASSIFIED)
>>
>>
>> Thanks Eriks, appreciate the info. We are using HP-UX, so the Tumbleweed
>> solution won't work for us. We do have an HP version of Apache that has
>> the
>> OCSP mod of mod_ssl, but we just installed it (today) and haven't had a
>> chance to look at the documentation yet. Will post back and let you know
>> what we found out. Thanks again.
>>
>> Paul
>>
>>
>> Richters, Eriks A wrote:
>> >
>> > I went down this road a few months ago.  Someone wrote a patch that
>> > would add OCSP client functionality to Apache, but the patch never got
>> > folded into the Apache mainline code.  We spent a bit of effort trying
>> > to get the patch to work with our version of Apache with no luck.
>> > There are two products from commercial organizations out there that
>> > can help.  One is from Tumbleweed, called Server Validator.  It's
>> > pricey about $2000 per server, but works pretty well. Its very easy to
>> > install and configure and has some nice features for supporting OCSP
>> > and failing over to CRLs.  It is supported on several platforms.
>> > The other product is called WebCullis from the organization that used
>> > to be Orion Security. (Orion Security has since been bought by
>> > Entrust.) It used to be under the GPL, which was nice.  At the time,
>> > they only had a version for Windows and Intel based Solaris.
>> > I hope this helps.
>> >
>> > -----Original Message-----
>> > From: [EMAIL PROTECTED]
>> > [mailto:[EMAIL PROTECTED] On Behalf Of pbains
>> > Sent: Wednesday, October 11, 2006 4:32 PM
>> > To: modssl-users@modssl.org
>> > Subject: Re: OCSP? (UNCLASSIFIED)
>> >
>> >
>> > My organization is headed down this road after experiencing
>> > performance degradation from checking large CRLs. As we come up with a
>> > solution, will post what I find out. Alternatively, if you have any
>> > information, would appreciate it, thanks!
>> >
>> > Paul
>> >
>> >
>> > Victor, Dwight P CTR DISA PAC wrote:
>> >>
>> >> Classification:  UNCLASSIFIED
>> >> Caveats: NONE
>> >>
>> >>
>> >> Hello List!
>> >>
>> >> Has anyone had any experience/success with using mod_ssl + Apache v2
>> > to
>> >> query an OCSP responder regarding the status of an end-user provided
>> >> certificate and allow/deny access based on the response?  Any tips,
>> >> suggestions, discussion would be appreciated.
>> >>
>> >> Best Regards,
>> >>
>> >> Dwight...
>> >>
>> >> ---
>> >> Dwight Victor, CISSP (Contractor)
>> >> Systems Administrator / Webmaster
>> >> General Dynamics C4 Systems
>> >> EMAIL: [EMAIL PROTECTED]
>> >> TEL:   (808) 653-3677 ext 229
>> >>
>> >> Classification:  UNCLASSIFIED
>> >> Caveats: NONE
>> >>
>> >>
>> >>
>> >>
>> >
>> > --
>> > View this message in context:
>> > http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.html#a6764147
>> > Sent from the mod_ssl - Users mailing list archive at Nabble.com.
>> >
>> > ______________________________________________________________________
>> > Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
>> > User Support Mailing List                      modssl-users@modssl.org
>> > Automated List Manager                            [EMAIL PROTECTED]
>> >
>> > ______________________________________________________________________
>> > Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
>> > User Support Mailing List                      modssl-users@modssl.org
>> > Automated List Manager                            [EMAIL PROTECTED]
>> >
>> >
>>
>> --
>> View this message in context:
>> http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.html#a6764600
>> Sent from the mod_ssl - Users mailing list archive at Nabble.com.
>>
>> ______________________________________________________________________
>> Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
>> User Support Mailing List                      modssl-users@modssl.org
>> Automated List Manager                            [EMAIL PROTECTED]
>> Classification:  UNCLASSIFIED
>> Caveats: NONE
>>
>> ______________________________________________________________________
>> Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
>> User Support Mailing List                      modssl-users@modssl.org
>> Automated List Manager                            [EMAIL PROTECTED]
>>
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
> User Support Mailing List                      modssl-users@modssl.org
> Automated List Manager                            [EMAIL PROTECTED]
> 
> 

-- 
View this message in context: 
http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.html#a6783252
Sent from the mod_ssl - Users mailing list archive at Nabble.com.

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@modssl.org
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to