Thank you François! After reading the documentation and looking at the Apache developer's notes, I am still not clear on how to specify an OCSP responder if the responder URI is not included in the responder's certificate. From the Apache developer's notes, I think it is via a configuration option in ssl.conf, but I have not seen an example, only misc notes. Does anyone know how to do this? We would like to be able to specify a specific responder if the URI is not contained in the server's cert. Thanks in advance.
Paul François Soumillion wrote: > > http://www.belgium.be/zip/eid_authentication_proxy_fr.html > > You will find there an updated version of mod-ssl including OCSP check > as well as the documentation to set it up. > > 2006/10/11, Victor, Dwight P CTR DISA PAC <[EMAIL PROTECTED]>: >> Classification: UNCLASSIFIED >> Caveats: NONE >> >> Hi Eriks, >> >> Thanks for the tip regarding Tumbleweed & WebCullis. I'll definitely >> have >> to do some research. >> >> Paul, >> >> One of my web searches pulled up the fact that HP-UX has a OCSP enabled >> version of mod_ssl. Seems to be a lucky break for you. Hope that works >> out. >> >> I have experienced a large memory hit anytime certificate checking is >> performed against the CRLs (some of which are 13 MB in size) in the range >> of >> 75MB per Apache server instance. Luckily we aren't that busy, or we >> would >> definitely be feeling the pain. >> >> BTW, I've been reading a bit about mod_nss >> (http://directory.fedora.redhat.com/wiki/Mod_nss). This module sounds >> interesting, but it isn't supported on HP-UX. I'll have to give it a try >> and I'll let the list know the results (if I can find some time to play >> with >> it). >> Thanks again, >> >> Dwight... >> >> --- >> Dwight Victor, CISSP (Contractor) >> EMAIL: [EMAIL PROTECTED] >> SMAIL: [EMAIL PROTECTED] >> TEL: (808) 653-3677 ext 229 >> >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] >> Sent: Wednesday, October 11, 2006 10:55 AM >> To: modssl-users@modssl.org >> Subject: RE: OCSP? (UNCLASSIFIED) >> >> >> Thanks Eriks, appreciate the info. We are using HP-UX, so the Tumbleweed >> solution won't work for us. We do have an HP version of Apache that has >> the >> OCSP mod of mod_ssl, but we just installed it (today) and haven't had a >> chance to look at the documentation yet. Will post back and let you know >> what we found out. Thanks again. >> >> Paul >> >> >> Richters, Eriks A wrote: >> > >> > I went down this road a few months ago. Someone wrote a patch that >> > would add OCSP client functionality to Apache, but the patch never got >> > folded into the Apache mainline code. We spent a bit of effort trying >> > to get the patch to work with our version of Apache with no luck. >> > There are two products from commercial organizations out there that >> > can help. One is from Tumbleweed, called Server Validator. It's >> > pricey about $2000 per server, but works pretty well. Its very easy to >> > install and configure and has some nice features for supporting OCSP >> > and failing over to CRLs. It is supported on several platforms. >> > The other product is called WebCullis from the organization that used >> > to be Orion Security. (Orion Security has since been bought by >> > Entrust.) It used to be under the GPL, which was nice. At the time, >> > they only had a version for Windows and Intel based Solaris. >> > I hope this helps. >> > >> > -----Original Message----- >> > From: [EMAIL PROTECTED] >> > [mailto:[EMAIL PROTECTED] On Behalf Of pbains >> > Sent: Wednesday, October 11, 2006 4:32 PM >> > To: modssl-users@modssl.org >> > Subject: Re: OCSP? (UNCLASSIFIED) >> > >> > >> > My organization is headed down this road after experiencing >> > performance degradation from checking large CRLs. As we come up with a >> > solution, will post what I find out. Alternatively, if you have any >> > information, would appreciate it, thanks! >> > >> > Paul >> > >> > >> > Victor, Dwight P CTR DISA PAC wrote: >> >> >> >> Classification: UNCLASSIFIED >> >> Caveats: NONE >> >> >> >> >> >> Hello List! >> >> >> >> Has anyone had any experience/success with using mod_ssl + Apache v2 >> > to >> >> query an OCSP responder regarding the status of an end-user provided >> >> certificate and allow/deny access based on the response? Any tips, >> >> suggestions, discussion would be appreciated. >> >> >> >> Best Regards, >> >> >> >> Dwight... >> >> >> >> --- >> >> Dwight Victor, CISSP (Contractor) >> >> Systems Administrator / Webmaster >> >> General Dynamics C4 Systems >> >> EMAIL: [EMAIL PROTECTED] >> >> TEL: (808) 653-3677 ext 229 >> >> >> >> Classification: UNCLASSIFIED >> >> Caveats: NONE >> >> >> >> >> >> >> >> >> > >> > -- >> > View this message in context: >> > http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.html#a6764147 >> > Sent from the mod_ssl - Users mailing list archive at Nabble.com. >> > >> > ______________________________________________________________________ >> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org >> > User Support Mailing List modssl-users@modssl.org >> > Automated List Manager [EMAIL PROTECTED] >> > >> > ______________________________________________________________________ >> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org >> > User Support Mailing List modssl-users@modssl.org >> > Automated List Manager [EMAIL PROTECTED] >> > >> > >> >> -- >> View this message in context: >> http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.html#a6764600 >> Sent from the mod_ssl - Users mailing list archive at Nabble.com. >> >> ______________________________________________________________________ >> Apache Interface to OpenSSL (mod_ssl) www.modssl.org >> User Support Mailing List modssl-users@modssl.org >> Automated List Manager [EMAIL PROTECTED] >> Classification: UNCLASSIFIED >> Caveats: NONE >> >> ______________________________________________________________________ >> Apache Interface to OpenSSL (mod_ssl) www.modssl.org >> User Support Mailing List modssl-users@modssl.org >> Automated List Manager [EMAIL PROTECTED] >> > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager [EMAIL PROTECTED] > > -- View this message in context: http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.html#a6783252 Sent from the mod_ssl - Users mailing list archive at Nabble.com. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]