http://www.belgium.be/zip/eid_authen..._proxy_fr.html

You will find there an updated version of mod-ssl including OCSP check
as well as the documentation to set it up.

2006/10/11, Victor, Dwight P CTR DISA PAC :
> Classification: UNCLASSIFIED
> Caveats: NONE
>
> Hi Eriks,
>
> Thanks for the tip regarding Tumbleweed & WebCullis. I'll definitely have
> to do some research.
>
> Paul,
>
> One of my web searches pulled up the fact that HP-UX has a OCSP enabled
> version of mod_ssl. Seems to be a lucky break for you. Hope that works
> out.
>
> I have experienced a large memory hit anytime certificate checking is
> performed against the CRLs (some of which are 13 MB in size) in the range of
> 75MB per Apache server instance. Luckily we aren't that busy, or we would
> definitely be feeling the pain.
>
> BTW, I've been reading a bit about mod_nss
> (http://directory.fedora.redhat.com/wiki/Mod_nss). This module sounds
> interesting, but it isn't supported on HP-UX. I'll have to give it a try
> and I'll let the list know the results (if I can find some time to play with
> it).
> Thanks again,
>
> Dwight...
>
> ---
> Dwight Victor, CISSP (Contractor)
> EMAIL: dwight.victor.ctr@disa.mil
> SMAIL: victord@pac.disa.smil.mil
> TEL: (808) 653-3677 ext 229
>
> -----Original Message-----
> From: owner-modssl-users@modssl.org [mailtowner-modssl-users@modssl.org]
> Sent: Wednesday, October 11, 2006 10:55 AM
> To: modssl-users@modssl.org
> Subject: RE: OCSP? (UNCLASSIFIED)
>
>
> Thanks Eriks, appreciate the info. We are using HP-UX, so the Tumbleweed
> solution won't work for us. We do have an HP version of Apache that has the
> OCSP mod of mod_ssl, but we just installed it (today) and haven't had a
> chance to look at the documentation yet. Will post back and let you know
> what we found out. Thanks again.
>
> Paul
>
>
> Richters, Eriks A wrote:
> >
> > I went down this road a few months ago. Someone wrote a patch that
> > would add OCSP client functionality to Apache, but the patch never got
> > folded into the Apache mainline code. We spent a bit of effort trying
> > to get the patch to work with our version of Apache with no luck.
> > There are two products from commercial organizations out there that
> > can help. One is from Tumbleweed, called Server Validator. It's
> > pricey about $2000 per server, but works pretty well. Its very easy to
> > install and configure and has some nice features for supporting OCSP
> > and failing over to CRLs. It is supported on several platforms.
> > The other product is called WebCullis from the organization that used
> > to be Orion Security. (Orion Security has since been bought by
> > Entrust.) It used to be under the GPL, which was nice. At the time,
> > they only had a version for Windows and Intel based Solaris.
> > I hope this helps.
> >
> > -----Original Message-----
> > From: owner-modssl-users@modssl.org
> > [mailtowner-modssl-users@modssl.org] On Behalf Of pbains
> > Sent: Wednesday, October 11, 2006 4:32 PM
> > To: modssl-users@modssl.org
> > Subject: Re: OCSP? (UNCLASSIFIED)
> >
> >
> > My organization is headed down this road after experiencing
> > performance degradation from checking large CRLs. As we come up with a
> > solution, will post what I find out. Alternatively, if you have any
> > information, would appreciate it, thanks!
> >
> > Paul
> >
> >
> > Victor, Dwight P CTR DISA PAC wrote:
> >>
> >> Classification: UNCLASSIFIED
> >> Caveats: NONE
> >>
> >>
> >> Hello List!
> >>
> >> Has anyone had any experience/success with using mod_ssl + Apache v2

> > to
> >> query an OCSP responder regarding the status of an end-user provided
> >> certificate and allow/deny access based on the response? Any tips,
> >> suggestions, discussion would be appreciated.
> >>
> >> Best Regards,
> >>
> >> Dwight...
> >>
> >> ---
> >> Dwight Victor, CISSP (Contractor)
> >> Systems Administrator / Webmaster
> >> General Dynamics C4 Systems
> >> EMAIL: dwight.victor.ctr@disa.mil
> >> TEL: (808) 653-3677 ext 229
> >>
> >> Classification: UNCLASSIFIED
> >> Caveats: NONE
> >>
> >>
> >>
> >>

> >
> > --
> > View this message in context:
> > http://www.nabble.com/OCSP--%28UNCLA....html#a6764147
> > Sent from the mod_ssl - Users mailing list archive at Nabble.com.
> >
> > __________________________________________________ ____________________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
> >
> > __________________________________________________ ____________________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
> >
> >

>
> --
> View this message in context:
> http://www.nabble.com/OCSP--%28UNCLA....html#a6764600
> Sent from the mod_ssl - Users mailing list archive at Nabble.com.
>
> __________________________________________________ ____________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
> Classification: UNCLASSIFIED
> Caveats: NONE
>
> __________________________________________________ ____________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org