Classification: UNCLASSIFIED=20
Caveats: NONE


Thank you Fran=E7ois!

---
Dwight Victor, CISSP (Contractor)
TEL: (808) 653-3677 ext 229

-----Original Message-----
From: owner-modssl-users@modssl.org =
[mailtowner-modssl-users@modssl.org]=20
Sent: Wednesday, October 11, 2006 10:14 PM
To: modssl-users@modssl.org
Subject: Re: OCSP? (UNCLASSIFIED)

http://www.belgium.be/zip/eid_authen..._proxy_fr.html

You will find there an updated version of mod-ssl including OCSP check =
as
well as the documentation to set it up.

2006/10/11, Victor, Dwight P CTR DISA PAC :
> Classification: UNCLASSIFIED
> Caveats: NONE
>
> Hi Eriks,
>
> Thanks for the tip regarding Tumbleweed & WebCullis. I'll definitely =


> have to do some research.
>
> Paul,
>
> One of my web searches pulled up the fact that HP-UX has a OCSP=20
> enabled version of mod_ssl. Seems to be a lucky break for you. Hope =


> that works out.
>
> I have experienced a large memory hit anytime certificate checking is =


> performed against the CRLs (some of which are 13 MB in size) in the=20
> range of 75MB per Apache server instance. Luckily we aren't that=20
> busy, or we would definitely be feeling the pain.
>
> BTW, I've been reading a bit about mod_nss=20
> (http://directory.fedora.redhat.com/wiki/Mod_nss). This module =

sounds=20
> interesting, but it isn't supported on HP-UX. I'll have to give it a =


> try and I'll let the list know the results (if I can find some time =

to=20
> play with it).
> Thanks again,
>
> Dwight...
>
> ---
> Dwight Victor, CISSP (Contractor)
> EMAIL: dwight.victor.ctr@disa.mil
> SMAIL: victord@pac.disa.smil.mil
> TEL: (808) 653-3677 ext 229
>
> -----Original Message-----
> From: owner-modssl-users@modssl.org=20
> [mailtowner-modssl-users@modssl.org]
> Sent: Wednesday, October 11, 2006 10:55 AM
> To: modssl-users@modssl.org
> Subject: RE: OCSP? (UNCLASSIFIED)
>
>
> Thanks Eriks, appreciate the info. We are using HP-UX, so the=20
> Tumbleweed solution won't work for us. We do have an HP version of=20
> Apache that has the OCSP mod of mod_ssl, but we just installed it=20
> (today) and haven't had a chance to look at the documentation yet.=20
> Will post back and let you know what we found out. Thanks again.
>
> Paul
>
>
> Richters, Eriks A wrote:
> >
> > I went down this road a few months ago. Someone wrote a patch that =


> > would add OCSP client functionality to Apache, but the patch never=20
> > got folded into the Apache mainline code. We spent a bit of effort =


> > trying to get the patch to work with our version of Apache with no =

luck.
> > There are two products from commercial organizations out there that =


> > can help. One is from Tumbleweed, called Server Validator. It's=20
> > pricey about $2000 per server, but works pretty well. Its very easy =


> > to install and configure and has some nice features for supporting=20
> > OCSP and failing over to CRLs. It is supported on several =

platforms.
> > The other product is called WebCullis from the organization that=20
> > used to be Orion Security. (Orion Security has since been bought by
> > Entrust.) It used to be under the GPL, which was nice. At the =

time,=20
> > they only had a version for Windows and Intel based Solaris.
> > I hope this helps.
> >
> > -----Original Message-----
> > From: owner-modssl-users@modssl.org
> > [mailtowner-modssl-users@modssl.org] On Behalf Of pbains
> > Sent: Wednesday, October 11, 2006 4:32 PM
> > To: modssl-users@modssl.org
> > Subject: Re: OCSP? (UNCLASSIFIED)
> >
> >
> > My organization is headed down this road after experiencing=20
> > performance degradation from checking large CRLs. As we come up =

with=20
> > a solution, will post what I find out. Alternatively, if you have=20
> > any information, would appreciate it, thanks!
> >
> > Paul
> >
> >
> > Victor, Dwight P CTR DISA PAC wrote:
> >>
> >> Classification: UNCLASSIFIED
> >> Caveats: NONE
> >>
> >>
> >> Hello List!
> >>
> >> Has anyone had any experience/success with using mod_ssl + Apache=20
> >> v2

> > to
> >> query an OCSP responder regarding the status of an end-user=20
> >> provided certificate and allow/deny access based on the response? =


> >> Any tips, suggestions, discussion would be appreciated.
> >>
> >> Best Regards,
> >>
> >> Dwight...
> >>
> >> ---
> >> Dwight Victor, CISSP (Contractor)
> >> Systems Administrator / Webmaster
> >> General Dynamics C4 Systems
> >> EMAIL: dwight.victor.ctr@disa.mil
> >> TEL: (808) 653-3677 ext 229
> >>
> >> Classification: UNCLASSIFIED
> >> Caveats: NONE
> >>
> >>
> >>
> >>

> >
> > --
> > View this message in context:
> > =

http://www.nabble.com/OCSP--%28UNCLA...61.html#a67641
> > 47 Sent from the mod_ssl - Users mailing list archive at =

Nabble.com.
> >
> > =

__________________________________________________ ____________________
> > Apache Interface to OpenSSL (mod_ssl) =

www.modssl.org
> > User Support Mailing List =

modssl-users@modssl.org
> > Automated List Manager =

majordomo@modssl.org
> >
> > =

__________________________________________________ ____________________
> > Apache Interface to OpenSSL (mod_ssl) =

www.modssl.org
> > User Support Mailing List =

modssl-users@modssl.org
> > Automated List Manager =

majordomo@modssl.org
> >
> >

>
> --
> View this message in context:
> =

http://www.nabble.com/OCSP--%28UNCLA....html#a6764600
> Sent from the mod_ssl - Users mailing list archive at Nabble.com.
>
> =

__________________________________________________ ____________________
> Apache Interface to OpenSSL (mod_ssl) =

www.modssl.org
> User Support Mailing List =

modssl-users@modssl.org
> Automated List Manager =

majordomo@modssl.org
> Classification: UNCLASSIFIED
> Caveats: NONE
>
> =

__________________________________________________ ____________________
> Apache Interface to OpenSSL (mod_ssl) =

www.modssl.org
> User Support Mailing List =

modssl-users@modssl.org
> Automated List Manager =

majordomo@modssl.org
>

__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
Classification: UNCLASSIFIED=20
Caveats: NONE

__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org