i've been happily using pound in front of mod_ssl-less apache, handling all my sites & certs.
i'm hoping to deploy an OCSP responder for online/dynamic SSL Certificate mgmt. ideally standalone, rather than as part of a larger infrastructure (DogTag, EJBCA, OpenCA, etc), although OpenSSL's ocsp "mini server" works, it's recommended NOT to use it for production. seems the way-to-go is 'OCSP Stapling' (http://en.wikipedia.org/wiki/OCSP_Stapling) which has been added to mod_ssl into Apache2 2.4.x trunk (https://issues.apache.org/bugzilla/show_bug.cgi?id=43822). fyi, the relevant mod_ssl OCSP directives are @ http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslocspdefaultresponder i'd rather not have to re-bloat apache by enabling mod_ssl, but would need, then, OCSP stapling support in Pound. afaict, it's been discussed back in 2005 (http://www.apsis.ch/pound/pound_list/archive/2005/2005-10/1129827166000/index_html?fullMode=1), but went no further once challenged with: "Please try to slow down for a moment and consider if your suggestions are really necessary (do they add anything to the program), and if they make sense. Are your suggestions based just on seeing the same features in other systems, or can you show us a real need for them? Is it worth the effort and extra complexity?" OCSP service is no longer an uncommon application these days, and, in fact, is oft recommended as a preferred approach to static CRL publication etc ... so, i'd argue, not just a "same feature as in other systems", but one that fills/meets a current/evolving need. possible to have added? thanks. -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
