Thanks Eriks, appreciate the info. We are using HP-UX, so the Tumbleweed
solution won't work for us. We do have an HP version of Apache that has the
OCSP mod of mod_ssl, but we just installed it (today) and haven't had a
chance to look at the documentation yet. Will post back and let you know
what we found out. Thanks again.

Paul


Richters, Eriks A wrote:
>
> I went down this road a few months ago. Someone wrote a patch that
> would add OCSP client functionality to Apache, but the patch never got
> folded into the Apache mainline code. We spent a bit of effort trying
> to get the patch to work with our version of Apache with no luck.
> There are two products from commercial organizations out there that can
> help. One is from Tumbleweed, called Server Validator. It's pricey
> about $2000 per server, but works pretty well. Its very easy to install
> and configure and has some nice features for supporting OCSP and failing
> over to CRLs. It is supported on several platforms.
> The other product is called WebCullis from the organization that used to
> be Orion Security. (Orion Security has since been bought by Entrust.)
> It used to be under the GPL, which was nice. At the time, they only had
> a version for Windows and Intel based Solaris.
> I hope this helps.
>
> -----Original Message-----
> From: owner-modssl-users@modssl.org
> [mailtowner-modssl-users@modssl.org] On Behalf Of pbains
> Sent: Wednesday, October 11, 2006 4:32 PM
> To: modssl-users@modssl.org
> Subject: Re: OCSP? (UNCLASSIFIED)
>
>
> My organization is headed down this road after experiencing performance
> degradation from checking large CRLs. As we come up with a solution,
> will
> post what I find out. Alternatively, if you have any information, would
> appreciate it, thanks!
>
> Paul
>
>
> Victor, Dwight P CTR DISA PAC wrote:
>>
>> Classification: UNCLASSIFIED
>> Caveats: NONE
>>
>>
>> Hello List!
>>
>> Has anyone had any experience/success with using mod_ssl + Apache v2

> to
>> query an OCSP responder regarding the status of an end-user provided
>> certificate and allow/deny access based on the response? Any tips,
>> suggestions, discussion would be appreciated.
>>
>> Best Regards,
>>
>> Dwight...
>>
>> ---
>> Dwight Victor, CISSP (Contractor)
>> Systems Administrator / Webmaster
>> General Dynamics C4 Systems
>> EMAIL: dwight.victor.ctr@disa.mil
>> TEL: (808) 653-3677 ext 229
>>
>> Classification: UNCLASSIFIED
>> Caveats: NONE
>>
>>
>>
>>

>
> --
> View this message in context:
> http://www.nabble.com/OCSP--%28UNCLA....html#a6764147
> Sent from the mod_ssl - Users mailing list archive at Nabble.com.
>
> __________________________________________________ ____________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
> __________________________________________________ ____________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
>


--
View this message in context: http://www.nabble.com/OCSP--%28UNCLA....html#a6764600
Sent from the mod_ssl - Users mailing list archive at Nabble.com.

__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org