Thank you Fran=C3=A7ois! After reading the documentation and looking at the=
Apache
developer's notes, I am still not clear on how to specify an OCSP responder
if the responder URI is not included in the responder's certificate. From
the Apache developer's notes, I think it is via a configuration option in
ssl.conf, but I have not seen an example, only misc notes. Does anyone know
how to do this? We would like to be able to specify a specific responder if
the URI is not contained in the server's cert. Thanks in advance.

Paul


Fran=C3=A7ois Soumillion wrote:
>=20
> http://www.belgium.be/zip/eid_authen..._proxy_fr.html
>=20
> You will find there an updated version of mod-ssl including OCSP check
> as well as the documentation to set it up.
>=20
> 2006/10/11, Victor, Dwight P CTR DISA PAC :
>> Classification: UNCLASSIFIED
>> Caveats: NONE
>>
>> Hi Eriks,
>>
>> Thanks for the tip regarding Tumbleweed & WebCullis. I'll definitely
>> have
>> to do some research.
>>
>> Paul,
>>
>> One of my web searches pulled up the fact that HP-UX has a OCSP enabled
>> version of mod_ssl. Seems to be a lucky break for you. Hope that works
>> out.
>>
>> I have experienced a large memory hit anytime certificate checking is
>> performed against the CRLs (some of which are 13 MB in size) in the rang=

e
>> of
>> 75MB per Apache server instance. Luckily we aren't that busy, or we
>> would
>> definitely be feeling the pain.
>>
>> BTW, I've been reading a bit about mod_nss
>> (http://directory.fedora.redhat.com/wiki/Mod_nss). This module sounds
>> interesting, but it isn't supported on HP-UX. I'll have to give it a tr=

y
>> and I'll let the list know the results (if I can find some time to play
>> with
>> it).
>> Thanks again,
>>
>> Dwight...
>>
>> ---
>> Dwight Victor, CISSP (Contractor)
>> EMAIL: dwight.victor.ctr@disa.mil
>> SMAIL: victord@pac.disa.smil.mil
>> TEL: (808) 653-3677 ext 229
>>
>> -----Original Message-----
>> From: owner-modssl-users@modssl.org
>> [mailtowner-modssl-users@modssl.org]
>> Sent: Wednesday, October 11, 2006 10:55 AM
>> To: modssl-users@modssl.org
>> Subject: RE: OCSP? (UNCLASSIFIED)
>>
>>
>> Thanks Eriks, appreciate the info. We are using HP-UX, so the Tumbleweed
>> solution won't work for us. We do have an HP version of Apache that has
>> the
>> OCSP mod of mod_ssl, but we just installed it (today) and haven't had a
>> chance to look at the documentation yet. Will post back and let you know
>> what we found out. Thanks again.
>>
>> Paul
>>
>>
>> Richters, Eriks A wrote:
>> >
>> > I went down this road a few months ago. Someone wrote a patch that
>> > would add OCSP client functionality to Apache, but the patch never got
>> > folded into the Apache mainline code. We spent a bit of effort trying
>> > to get the patch to work with our version of Apache with no luck.
>> > There are two products from commercial organizations out there that
>> > can help. One is from Tumbleweed, called Server Validator. It's
>> > pricey about $2000 per server, but works pretty well. Its very easy to
>> > install and configure and has some nice features for supporting OCSP
>> > and failing over to CRLs. It is supported on several platforms.
>> > The other product is called WebCullis from the organization that used
>> > to be Orion Security. (Orion Security has since been bought by
>> > Entrust.) It used to be under the GPL, which was nice. At the time,
>> > they only had a version for Windows and Intel based Solaris.
>> > I hope this helps.
>> >
>> > -----Original Message-----
>> > From: owner-modssl-users@modssl.org
>> > [mailtowner-modssl-users@modssl.org] On Behalf Of pbains
>> > Sent: Wednesday, October 11, 2006 4:32 PM
>> > To: modssl-users@modssl.org
>> > Subject: Re: OCSP? (UNCLASSIFIED)
>> >
>> >
>> > My organization is headed down this road after experiencing
>> > performance degradation from checking large CRLs. As we come up with a
>> > solution, will post what I find out. Alternatively, if you have any
>> > information, would appreciate it, thanks!
>> >
>> > Paul
>> >
>> >
>> > Victor, Dwight P CTR DISA PAC wrote:
>> >>
>> >> Classification: UNCLASSIFIED
>> >> Caveats: NONE
>> >>
>> >>
>> >> Hello List!
>> >>
>> >> Has anyone had any experience/success with using mod_ssl + Apache v2
>> > to
>> >> query an OCSP responder regarding the status of an end-user provided
>> >> certificate and allow/deny access based on the response? Any tips,
>> >> suggestions, discussion would be appreciated.
>> >>
>> >> Best Regards,
>> >>
>> >> Dwight...
>> >>
>> >> ---
>> >> Dwight Victor, CISSP (Contractor)
>> >> Systems Administrator / Webmaster
>> >> General Dynamics C4 Systems
>> >> EMAIL: dwight.victor.ctr@disa.mil
>> >> TEL: (808) 653-3677 ext 229
>> >>
>> >> Classification: UNCLASSIFIED
>> >> Caveats: NONE
>> >>
>> >>
>> >>
>> >>
>> >
>> > --
>> > View this message in context:
>> > http://www.nabble.com/OCSP--%28UNCLA....html#a6764147
>> > Sent from the mod_ssl - Users mailing list archive at Nabble.com.
>> >
>> > __________________________________________________ ____________________
>> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>> > User Support Mailing List modssl-users@modssl.org
>> > Automated List Manager majordomo@modssl.org
>> >
>> > __________________________________________________ ____________________
>> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>> > User Support Mailing List modssl-users@modssl.org
>> > Automated List Manager majordomo@modssl.org
>> >
>> >

>>
>> --
>> View this message in context:
>> http://www.nabble.com/OCSP--%28UNCLA....html#a6764600
>> Sent from the mod_ssl - Users mailing list archive at Nabble.com.
>>
>> __________________________________________________ ____________________
>> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>> User Support Mailing List modssl-users@modssl.org
>> Automated List Manager majordomo@modssl.org
>> Classification: UNCLASSIFIED
>> Caveats: NONE
>>
>> __________________________________________________ ____________________
>> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>> User Support Mailing List modssl-users@modssl.org
>> Automated List Manager majordomo@modssl.org
>>

> __________________________________________________ ____________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>=20
>=20


--=20
View this message in context: http://www.nabble.com/OCSP--%28UNCLASSIFIED%2=
9-tf1638361.html#a6783252
Sent from the mod_ssl - Users mailing list archive at Nabble.com.

__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org