On 02/05/2014 02:44 AM, Kaspar Brand wrote:
> On 05.02.2014 08:25, Brian Smith wrote:
>> It would be possible for a server to fetch and staple the OCSP
>> response only using the information from the server's end-entity
>> certificate.
>
> Actually no - you can't properly fill in the CertID for th
> Date: Wed, 5 Feb 2014 18:59:18 +
> From: shen...@opensslfoundation.com
>
> Ugh, messed up. Should be fixed now.
>
> Steve.
Yes, it is working now. Thank you.
On 05/02/2014 18:32, Falco Schwarz wrote:
>> I've just added this though in a slightly different way. Please test the next
>> snapshot or just pull the latest 1.0.2 branch from git.
>
>
> Just pulled the latest 1.0.2 branch from git and recompiled OpenSSL / httpd.
> I cannot get Stapling to work,
> I've just added this though in a slightly different way. Please test the next
> snapshot or just pull the latest 1.0.2 branch from git.
Just pulled the latest 1.0.2 branch from git and recompiled OpenSSL / httpd.
I cannot get Stapling to work, though.
2014-02-05 18:52:56 foo.bar [mpm_prefork|n
On 05/02/2014 16:44, Falco Schwarz wrote:
>> I assume that you are using (a snapshot of) OpenSSL 1.0.2, is that correct?
>
> Yes, I was using a nightly snapshot of OpenSSL 1.0.2
>
I've just added this though in a slightly different way. Please test the next
snapshot or just pull the latest 1.0.2
> I assume that you are using (a snapshot of) OpenSSL 1.0.2, is that correct?
Yes, I was using a nightly snapshot of OpenSSL 1.0.2
> Falco, can you confirm that applying one of the attached patches solves
> the problem for you?
I have tested both patches separately, each of them solves the prob
On 05/02/2014 07:17, Kaspar Brand wrote:
>
> There are two ways to address the issue: either in mod_ssl, or in
> OpenSSL. I'm not sure which one is preferrable, but Mr. OpenSSL will
> hopefully tell us... (Steve: in theory, modifying the behavior of
> SSL_CTX_get_extra_chain_certs should be accept
On 05.02.2014 08:25, Brian Smith wrote:
> It would be possible for a server to fetch and staple the OCSP
> response only using the information from the server's end-entity
> certificate.
Actually no - you can't properly fill in the CertID for the request
otherwise. From RFC 6960:
>Request
On Tue, Feb 4, 2014 at 10:25 AM, Reindl Harald wrote:
> Am 04.02.2014 19:16, schrieb Falco Schwarz:
>> After playing around a bit more with this patch, I discovered that
>> OCSPStapling cannot get the issuer certificate if you use only the
>> SSLCertificateFile directive. It works if you specify
On 04.02.2014 19:16, Falco Schwarz wrote:
> After playing around a bit more with this patch, I discovered that
> OCSPStapling cannot get the issuer certificate if you use only the
> SSLCertificateFile directive. It works if you specify
> SSLCertificateChainFile, though.
>
> Error only using SSL
> the information for OCSP stapling is in the "SSLCertificateChainFile" by
> definition
> http://en.wikipedia.org/wiki/OCSP_stapling
I know that. It cannot however be there if one is trying to deprecate this
Directive as of https://svn.apache.org/r1553824
Am 04.02.2014 19:16, schrieb Falco Schwarz:
> After playing around a bit more with this patch, I discovered that
> OCSPStapling cannot get the issuer certificate if you use only the
> SSLCertificateFile directive. It works if you specify
> SSLCertificateChainFile, though.
>
> Error only using
12 matches
Mail list logo
