I went down this road a few months ago. Someone wrote a patch that
would add OCSP client functionality to Apache, but the patch never got
folded into the Apache mainline code. We spent a bit of effort trying
to get the patch to work with our version of Apache with no luck.
There are two products from commercial organizations out there that can
help. One is from Tumbleweed, called Server Validator. It's pricey
about $2000 per server, but works pretty well. Its very easy to install
and configure and has some nice features for supporting OCSP and failing
over to CRLs. It is supported on several platforms. =20
The other product is called WebCullis from the organization that used to
be Orion Security. (Orion Security has since been bought by Entrust.)
It used to be under the GPL, which was nice. At the time, they only had
a version for Windows and Intel based Solaris.=20
I hope this helps.=20

-----Original Message-----
From: owner-modssl-users@modssl.org
[mailtowner-modssl-users@modssl.org] On Behalf Of pbains
Sent: Wednesday, October 11, 2006 4:32 PM
To: modssl-users@modssl.org
Subject: Re: OCSP? (UNCLASSIFIED)


My organization is headed down this road after experiencing performance
degradation from checking large CRLs. As we come up with a solution,
will
post what I find out. Alternatively, if you have any information, would
appreciate it, thanks!

Paul


Victor, Dwight P CTR DISA PAC wrote:
>=20
> Classification: UNCLASSIFIED=20
> Caveats: NONE
>=20
>=20
> Hello List!
>=20
> Has anyone had any experience/success with using mod_ssl + Apache v2

to
> query an OCSP responder regarding the status of an end-user provided
> certificate and allow/deny access based on the response? Any tips,
> suggestions, discussion would be appreciated.
>=20
> Best Regards,
>=20
> Dwight...
>=20
> ---
> Dwight Victor, CISSP (Contractor)
> Systems Administrator / Webmaster
> General Dynamics C4 Systems
> EMAIL: dwight.victor.ctr@disa.mil
> TEL: (808) 653-3677 ext 229
>=20
> Classification: UNCLASSIFIED=20
> Caveats: NONE
>=20
>=20
> =20
>=20


--=20
View this message in context:
http://www.nabble.com/OCSP--%28UNCLA....html#a6764147
Sent from the mod_ssl - Users mailing list archive at Nabble.com.

__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org