OCSP? (UNCLASSIFIED)
am 17.05.2006 21:29:29 von Dwight.Victor.ctr
This is a multi-part message in MIME format.
------=_NextPart_000_008B_01C67994.63DDF890
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Classification: UNCLASSIFIED
Caveats: NONE
Hello List!
Has anyone had any experience/success with using mod_ssl + Apache v2 to
query an OCSP responder regarding the status of an end-user provided
certificate and allow/deny access based on the response? Any tips,
suggestions, discussion would be appreciated.
Best Regards,
Dwight...
---
Dwight Victor, CISSP (Contractor)
Systems Administrator / Webmaster
General Dynamics C4 Systems
EMAIL: dwight.victor.ctr@disa.mil
TEL: (808) 653-3677 ext 229
Classification: UNCLASSIFIED
Caveats: NONE
------=_NextPart_000_008B_01C67994.63DDF890
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEH AQAAoIIM9TCCBBww
ggOFoAMCAQICASgwDQYJKoZIhvcNAQEFBQAwYTELMAkGA1UEBhMCVVMxGDAW BgNVBAoTD1UuUy4g
R292ZXJubWVudDEMMAoGA1UECxMDRG9EMQwwCgYDVQQLEwNQS0kxHDAaBgNV BAMTE0RvRCBDTEFT
UyAzIFJvb3QgQ0EwHhcNMDMwNjEwMDk1NTAxWhcNMDkwNjA4MDk1NTAxWjBl MQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxDDAK BgNVBAsTA1BLSTEg
MB4GA1UEAxMXRE9EIENMQVNTIDMgRU1BSUwgQ0EtMTAwgZ8wDQYJKoZIhvcN AQEBBQADgY0AMIGJ
AoGBANQhe2pVqqwwtYkLXpPlJBxR3fip5SMYdRFf25JmURt8Zb1+KhM6CCOW xBmPJg3ER/L5rPtS
RFuuco6M+lSHDfKnRKepJFBUfSieHPeBCtvh35PSvjDKXEQMf5G+fmMcYL/H bHbDPrKxUHx5Sprk
xqQKolLXpLcvbqlDu8565vBpAgMBAAGjggHeMIIB2jAdBgNVHQ4EFgQUbzcj pNMg6/QMP2CfeUwL
chDSPJcwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wDAYDVR0k BAUwA4ABADAfBgNV
HSMEGDAWgBRsnKXwXI9tQY3EFzuQV8IPo81t/jAwBgNVHSAEKTAnMAsGCWCG SAFlAgELBTALBglg
hkgBZQIBCwkwCwYJYIZIAWUCAQsKMIGDBgNVHRIEfDB6hnhsZGFwOi8vZHMt My5jM3BraS5jaGFt
Yi5kaXNhLm1pbC9jbiUzZERvRCUyMENMQVNTJTIwMyUyMFJvb3QlMjBDQSUy Y291JTNkUEtJJTJj
b3UlM2REb0QlMmNvJTNkVS5TLiUyMEdvdmVybm1lbnQlMmNjJTNkVVMwgbAG A1UdHwSBqDCBpTCB
oqCBn6CBnIaBmWxkYXA6Ly9kcy0zLmMzcGtpLmNoYW1iLmRpc2EubWlsL2Nu JTNkRG9EJTIwQ0xB
U1MlMjAzJTIwUm9vdCUyMENBJTJjb3UlM2RQS0klMmNvdSUzZERvRCUyY28l M2RVLlMuJTIwR292
ZXJubWVudCUyY2MlM2RVUz9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0O2Jp bmFyeTANBgkqhkiG
9w0BAQUFAAOBgQCnZVmnmbJyuKSZpTUKwp7gCLe3akj225PQOrhHx0gt64LH 2fvDEwhCriHO8jRG
IyDdRCQiDpPe9u2Y/xK/wvIUWDUBPML/m+OwGODiuTF81N8egB7OtG+iq2sa 2oU+97oi1rYIFj4d
jZnvWz49FG9q5FTodfD1Yphd3hfJ6Y+DCTCCBEEwggOqoAMCAQICAx/mxDAN BgkqhkiG9w0BAQUF
ADBlMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQww CgYDVQQLEwNEb0Qx
DDAKBgNVBAsTA1BLSTEgMB4GA1UEAxMXRE9EIENMQVNTIDMgRU1BSUwgQ0Et MTAwHhcNMDUxMDEx
MDAwMDAwWhcNMDgxMDAzMjM1OTU5WjCBgjELMAkGA1UEBhMCVVMxGDAWBgNV BAoTD1UuUy4gR292
ZXJubWVudDEMMAoGA1UECxMDRG9EMQwwCgYDVQQLEwNQS0kxEzARBgNVBAsT CkNPTlRSQUNUT1Ix
KDAmBgNVBAMTH1ZJQ1RPUi5EV0lHSFQuUEhJTElQLjEyNjg3NzMxMDYwgZ8w DQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAK+HFyjqsB3OI0A8uLG3w9mg0cgzxa94OPJGtVK9SoFx MlwnSHcxmobboTnC
NHKOXmkN6MT8bPp8Omeppf0zHTzSzcacwv/EkPz4Zk20IDwceo2RevXy01u7 U3777ZtW1EzLrjAL
6mY6oD2KXZG45OpJDjg4oNGbpo2k2WPTIP3bAgMBAAGjggHfMIIB2zAOBgNV HQ8BAf8EBAMCBSAw
JQYDVR0RBB4wHIEaZHdpZ2h0LnZpY3Rvci5jdHJAZGlzYS5taWwwHwYDVR0j BBgwFoAUbzcjpNMg
6/QMP2CfeUwLchDSPJcwHQYDVR0OBBYEFJGhNIbyEnLXIMahd22+LZAQg6FO MBYGA1UdIAQPMA0w
CwYJYIZIAWUCAQsJMIGOBgNVHRIEgYYwgYOGgYBsZGFwOi8vZW1haWwtZHMt NC5jM3BraS5kZW4u
ZGlzYS5taWwvY24lM2RET0QlMjBDTEFTUyUyMDMlMjBFTUFJTCUyMENBLTEw JTJjb3UlM2RQS0kl
MmNvdSUzZERvRCUyY28lM2RVLlMuJTIwR292ZXJubWVudCUyY2MlM2RVUzCB uAYDVR0fBIGwMIGt
MIGqoIGnoIGkhoGhbGRhcDovL2VtYWlsLWRzLTQuYzNwa2kuZGVuLmRpc2Eu bWlsL2NuJTNkRE9E
JTIwQ0xBU1MlMjAzJTIwRU1BSUwlMjBDQS0xMCUyY291JTNkUEtJJTJjb3Ul M2REb0QlMmNvJTNk
VS5TLiUyMEdvdmVybm1lbnQlMmNjJTNkVVM/Y2VydGlmaWNhdGVyZXZvY2F0 aW9ubGlzdDtiaW5h
cnkwDQYJKoZIhvcNAQEFBQADgYEARRvrfgpwfPSmQh57wvP0UdjhVXud5Ckq hR9jechpSuv6zI81
K5RazYSm3BZSGdKr7gbcpyYobSDRgYdI16VUqCnEHuuAB8+BqGmAvQ/5cj+X Nnjdko41ZCWsPVPD
Z1h1FDH9xiVOSX5fbLJFIobWiLbcxdGtofPOGxSpA/oKNF0wggSMMIID9aAD AgECAgMf5sMwDQYJ
KoZIhvcNAQEFBQAwZTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292 ZXJubWVudDEMMAoG
A1UECxMDRG9EMQwwCgYDVQQLEwNQS0kxIDAeBgNVBAMTF0RPRCBDTEFTUyAz IEVNQUlMIENBLTEw
MB4XDTA1MTAxMTAwMDAwMFoXDTA4MTAwMzIzNTk1OVowgYIxCzAJBgNVBAYT AlVTMRgwFgYDVQQK
Ew9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UECxMDUEtJ MRMwEQYDVQQLEwpD
T05UUkFDVE9SMSgwJgYDVQQDEx9WSUNUT1IuRFdJR0hULlBISUxJUC4xMjY4 NzczMTA2MIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwQAYdZSGFQHDUfLHddrhI5Btde8C6 yjy2r6L6y45jJapZ
ZRYmScwqWlft0bWrRzsTGef5ay82fdymDiZUfMDoKOB/tQ1QoBUxxdxRSk96 ptEMUrZaQeXvtoNq
l6r8qafv7P1ncRqgiQxLyfZGEq1jktYN1UywdFauw+8Mut1cmwIDAQABo4IC KjCCAiYwDgYDVR0P
AQH/BAQDAgbAMB8GA1UdIwQYMBaAFG83I6TTIOv0DD9gn3lMC3IQ0jyXMB0G A1UdDgQWBBQWTNCc
1DPiYzUSfJSzxed0TEL8ejAWBgNVHSAEDzANMAsGCWCGSAFlAgELCTCBjgYD VR0SBIGGMIGDhoGA
bGRhcDovL2VtYWlsLWRzLTQuYzNwa2kuZGVuLmRpc2EubWlsL2NuJTNkRE9E JTIwQ0xBU1MlMjAz
JTIwRU1BSUwlMjBDQS0xMCUyY291JTNkUEtJJTJjb3UlM2REb0QlMmNvJTNk VS5TLiUyMEdvdmVy
bm1lbnQlMmNjJTNkVVMwgbgGA1UdHwSBsDCBrTCBqqCBp6CBpIaBoWxkYXA6 Ly9lbWFpbC1kcy00
LmMzcGtpLmRlbi5kaXNhLm1pbC9jbiUzZERPRCUyMENMQVNTJTIwMyUyMEVN QUlMJTIwQ0EtMTAl
MmNvdSUzZFBLSSUyY291JTNkRG9EJTJjbyUzZFUuUy4lMjBHb3Zlcm5tZW50 JTJjYyUzZFVTP2Nl
cnRpZmljYXRlcmV2b2NhdGlvbmxpc3Q7YmluYXJ5MCkGA1UdJQQiMCAGCisG AQQBgjcUAgIGCCsG
AQUFBwMEBggrBgEFBQcDAjBFBgNVHREEPjA8gRpkd2lnaHQudmljdG9yLmN0 ckBkaXNhLm1pbKAe
BgorBgEEAYI3FAIDoBAMDjEyNjg3NzMxMDZAbWlsMA0GCSqGSIb3DQEBBQUA A4GBAM62LQD0KPob
Ke1x+jf/4xH6Mv/63GT6pGw2S1St2bmq5GDDgoMziieBEkqVVczDjg7+2DE/ AyH8XF5Jy8EDsrMP
Z0gp3aqBG7Kl3NI8Szp1OgN8M3NJ7UZQi1n4kXSY8nPH4NhJvN1XqRPPGMUH 94jRLjUUd2jgCtbh
+knezK8iMYICyTCCAsUCAQEwbDBlMQswCQYDVQQGEwJVUzEYMBYGA1UEChMP VS5TLiBHb3Zlcm5t
ZW50MQwwCgYDVQQLEwNEb0QxDDAKBgNVBAsTA1BLSTEgMB4GA1UEAxMXRE9E IENMQVNTIDMgRU1B
SUwgQ0EtMTACAx/mwzAJBgUrDgMCGgUAoIIBszAYBgkqhkiG9w0BCQMxCwYJ KoZIhvcNAQcBMBwG
CSqGSIb3DQEJBTEPFw0wNjA1MTcxOTI5MjZaMCMGCSqGSIb3DQEJBDEWBBSZ SSMEJI4eb3oikDds
+SFHolkRPDBYBgkqhkiG9w0BCQ8xSzBJMAoGCCqGSIb3DQMHMA4GCCqGSIb3 DQMCAgIAgDAHBgUr
DgMCBzANBggqhkiG9w0DAgIBKDAHBgUrDgMCGjAKBggqhkiG9w0CBTB7Bgkr BgEEAYI3EAQxbjBs
MGUxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAK BgNVBAsTA0RvRDEM
MAoGA1UECxMDUEtJMSAwHgYDVQQDExdET0QgQ0xBU1MgMyBFTUFJTCBDQS0x MAIDH+bEMH0GCyqG
SIb3DQEJEAILMW6gbDBlMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBH b3Zlcm5tZW50MQww
CgYDVQQLEwNEb0QxDDAKBgNVBAsTA1BLSTEgMB4GA1UEAxMXRE9EIENMQVNT IDMgRU1BSUwgQ0Et
MTACAx/mxDANBgkqhkiG9w0BAQEFAASBgKgnMyQYLRGa5NftPxG+XAd/5nnX VLz6W0150T3+UYIJ
4/iYS47EebhbG07EXuCf7DwwJNIDunMpsBdKyqtL5m1qFvfdHqO6KbR4/lqB +e9AIni9KEeDqWAl
i9MiYeW0oKGoKO7xy9op6hRWgnWFJw7prk3tqGBBa2pSt/poACuxAAAAAAAA
------=_NextPart_000_008B_01C67994.63DDF890--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
Re: OCSP? (UNCLASSIFIED)
am 11.10.2006 22:32:05 von pbains
My organization is headed down this road after experiencing performance
degradation from checking large CRLs. As we come up with a solution, will
post what I find out. Alternatively, if you have any information, would
appreciate it, thanks!
Paul
Victor, Dwight P CTR DISA PAC wrote:
>
> Classification: UNCLASSIFIED
> Caveats: NONE
>
>
> Hello List!
>
> Has anyone had any experience/success with using mod_ssl + Apache v2 to
> query an OCSP responder regarding the status of an end-user provided
> certificate and allow/deny access based on the response? Any tips,
> suggestions, discussion would be appreciated.
>
> Best Regards,
>
> Dwight...
>
> ---
> Dwight Victor, CISSP (Contractor)
> Systems Administrator / Webmaster
> General Dynamics C4 Systems
> EMAIL: dwight.victor.ctr@disa.mil
> TEL: (808) 653-3677 ext 229
>
> Classification: UNCLASSIFIED
> Caveats: NONE
>
>
>
>
--
View this message in context: http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.htm l#a6764147
Sent from the mod_ssl - Users mailing list archive at Nabble.com.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
RE: OCSP? (UNCLASSIFIED)
am 11.10.2006 22:44:19 von Eriks.Richters
I went down this road a few months ago. Someone wrote a patch that
would add OCSP client functionality to Apache, but the patch never got
folded into the Apache mainline code. We spent a bit of effort trying
to get the patch to work with our version of Apache with no luck.
There are two products from commercial organizations out there that can
help. One is from Tumbleweed, called Server Validator. It's pricey
about $2000 per server, but works pretty well. Its very easy to install
and configure and has some nice features for supporting OCSP and failing
over to CRLs. It is supported on several platforms. =20
The other product is called WebCullis from the organization that used to
be Orion Security. (Orion Security has since been bought by Entrust.)
It used to be under the GPL, which was nice. At the time, they only had
a version for Windows and Intel based Solaris.=20
I hope this helps.=20
-----Original Message-----
From: owner-modssl-users@modssl.org
[mailto:owner-modssl-users@modssl.org] On Behalf Of pbains
Sent: Wednesday, October 11, 2006 4:32 PM
To: modssl-users@modssl.org
Subject: Re: OCSP? (UNCLASSIFIED)
My organization is headed down this road after experiencing performance
degradation from checking large CRLs. As we come up with a solution,
will
post what I find out. Alternatively, if you have any information, would
appreciate it, thanks!
Paul
Victor, Dwight P CTR DISA PAC wrote:
>=20
> Classification: UNCLASSIFIED=20
> Caveats: NONE
>=20
>=20
> Hello List!
>=20
> Has anyone had any experience/success with using mod_ssl + Apache v2
to
> query an OCSP responder regarding the status of an end-user provided
> certificate and allow/deny access based on the response? Any tips,
> suggestions, discussion would be appreciated.
>=20
> Best Regards,
>=20
> Dwight...
>=20
> ---
> Dwight Victor, CISSP (Contractor)
> Systems Administrator / Webmaster
> General Dynamics C4 Systems
> EMAIL: dwight.victor.ctr@disa.mil
> TEL: (808) 653-3677 ext 229
>=20
> Classification: UNCLASSIFIED=20
> Caveats: NONE
>=20
>=20
> =20
>=20
--=20
View this message in context:
http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.htm l#a6764147
Sent from the mod_ssl - Users mailing list archive at Nabble.com.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
RE: OCSP? (UNCLASSIFIED)
am 11.10.2006 22:55:06 von pbains
Thanks Eriks, appreciate the info. We are using HP-UX, so the Tumbleweed
solution won't work for us. We do have an HP version of Apache that has the
OCSP mod of mod_ssl, but we just installed it (today) and haven't had a
chance to look at the documentation yet. Will post back and let you know
what we found out. Thanks again.
Paul
Richters, Eriks A wrote:
>
> I went down this road a few months ago. Someone wrote a patch that
> would add OCSP client functionality to Apache, but the patch never got
> folded into the Apache mainline code. We spent a bit of effort trying
> to get the patch to work with our version of Apache with no luck.
> There are two products from commercial organizations out there that can
> help. One is from Tumbleweed, called Server Validator. It's pricey
> about $2000 per server, but works pretty well. Its very easy to install
> and configure and has some nice features for supporting OCSP and failing
> over to CRLs. It is supported on several platforms.
> The other product is called WebCullis from the organization that used to
> be Orion Security. (Orion Security has since been bought by Entrust.)
> It used to be under the GPL, which was nice. At the time, they only had
> a version for Windows and Intel based Solaris.
> I hope this helps.
>
> -----Original Message-----
> From: owner-modssl-users@modssl.org
> [mailto:owner-modssl-users@modssl.org] On Behalf Of pbains
> Sent: Wednesday, October 11, 2006 4:32 PM
> To: modssl-users@modssl.org
> Subject: Re: OCSP? (UNCLASSIFIED)
>
>
> My organization is headed down this road after experiencing performance
> degradation from checking large CRLs. As we come up with a solution,
> will
> post what I find out. Alternatively, if you have any information, would
> appreciate it, thanks!
>
> Paul
>
>
> Victor, Dwight P CTR DISA PAC wrote:
>>
>> Classification: UNCLASSIFIED
>> Caveats: NONE
>>
>>
>> Hello List!
>>
>> Has anyone had any experience/success with using mod_ssl + Apache v2
> to
>> query an OCSP responder regarding the status of an end-user provided
>> certificate and allow/deny access based on the response? Any tips,
>> suggestions, discussion would be appreciated.
>>
>> Best Regards,
>>
>> Dwight...
>>
>> ---
>> Dwight Victor, CISSP (Contractor)
>> Systems Administrator / Webmaster
>> General Dynamics C4 Systems
>> EMAIL: dwight.victor.ctr@disa.mil
>> TEL: (808) 653-3677 ext 229
>>
>> Classification: UNCLASSIFIED
>> Caveats: NONE
>>
>>
>>
>>
>
> --
> View this message in context:
> http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.htm l#a6764147
> Sent from the mod_ssl - Users mailing list archive at Nabble.com.
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
>
--
View this message in context: http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.htm l#a6764600
Sent from the mod_ssl - Users mailing list archive at Nabble.com.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
RE: OCSP? (UNCLASSIFIED)
am 11.10.2006 23:16:32 von Dwight.Victor.ctr
Classification: UNCLASSIFIED
Caveats: NONE
Hi Eriks,
Thanks for the tip regarding Tumbleweed & WebCullis. I'll definitely have
to do some research.
Paul,
One of my web searches pulled up the fact that HP-UX has a OCSP enabled
version of mod_ssl. Seems to be a lucky break for you. Hope that works
out.
I have experienced a large memory hit anytime certificate checking is
performed against the CRLs (some of which are 13 MB in size) in the range of
75MB per Apache server instance. Luckily we aren't that busy, or we would
definitely be feeling the pain.
BTW, I've been reading a bit about mod_nss
(http://directory.fedora.redhat.com/wiki/Mod_nss). This module sounds
interesting, but it isn't supported on HP-UX. I'll have to give it a try
and I'll let the list know the results (if I can find some time to play with
it).
Thanks again,
Dwight...
---
Dwight Victor, CISSP (Contractor)
EMAIL: dwight.victor.ctr@disa.mil
SMAIL: victord@pac.disa.smil.mil
TEL: (808) 653-3677 ext 229
-----Original Message-----
From: owner-modssl-users@modssl.org [mailto:owner-modssl-users@modssl.org]
Sent: Wednesday, October 11, 2006 10:55 AM
To: modssl-users@modssl.org
Subject: RE: OCSP? (UNCLASSIFIED)
Thanks Eriks, appreciate the info. We are using HP-UX, so the Tumbleweed
solution won't work for us. We do have an HP version of Apache that has the
OCSP mod of mod_ssl, but we just installed it (today) and haven't had a
chance to look at the documentation yet. Will post back and let you know
what we found out. Thanks again.
Paul
Richters, Eriks A wrote:
>
> I went down this road a few months ago. Someone wrote a patch that
> would add OCSP client functionality to Apache, but the patch never got
> folded into the Apache mainline code. We spent a bit of effort trying
> to get the patch to work with our version of Apache with no luck.
> There are two products from commercial organizations out there that
> can help. One is from Tumbleweed, called Server Validator. It's
> pricey about $2000 per server, but works pretty well. Its very easy to
> install and configure and has some nice features for supporting OCSP
> and failing over to CRLs. It is supported on several platforms.
> The other product is called WebCullis from the organization that used
> to be Orion Security. (Orion Security has since been bought by
> Entrust.) It used to be under the GPL, which was nice. At the time,
> they only had a version for Windows and Intel based Solaris.
> I hope this helps.
>
> -----Original Message-----
> From: owner-modssl-users@modssl.org
> [mailto:owner-modssl-users@modssl.org] On Behalf Of pbains
> Sent: Wednesday, October 11, 2006 4:32 PM
> To: modssl-users@modssl.org
> Subject: Re: OCSP? (UNCLASSIFIED)
>
>
> My organization is headed down this road after experiencing
> performance degradation from checking large CRLs. As we come up with a
> solution, will post what I find out. Alternatively, if you have any
> information, would appreciate it, thanks!
>
> Paul
>
>
> Victor, Dwight P CTR DISA PAC wrote:
>>
>> Classification: UNCLASSIFIED
>> Caveats: NONE
>>
>>
>> Hello List!
>>
>> Has anyone had any experience/success with using mod_ssl + Apache v2
> to
>> query an OCSP responder regarding the status of an end-user provided
>> certificate and allow/deny access based on the response? Any tips,
>> suggestions, discussion would be appreciated.
>>
>> Best Regards,
>>
>> Dwight...
>>
>> ---
>> Dwight Victor, CISSP (Contractor)
>> Systems Administrator / Webmaster
>> General Dynamics C4 Systems
>> EMAIL: dwight.victor.ctr@disa.mil
>> TEL: (808) 653-3677 ext 229
>>
>> Classification: UNCLASSIFIED
>> Caveats: NONE
>>
>>
>>
>>
>
> --
> View this message in context:
> http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.htm l#a6764147
> Sent from the mod_ssl - Users mailing list archive at Nabble.com.
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
>
--
View this message in context:
http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.htm l#a6764600
Sent from the mod_ssl - Users mailing list archive at Nabble.com.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
Classification: UNCLASSIFIED
Caveats: NONE
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
Re: OCSP? (UNCLASSIFIED)
am 12.10.2006 10:14:26 von fsoumil
http://www.belgium.be/zip/eid_authentication_proxy_fr.html
You will find there an updated version of mod-ssl including OCSP check
as well as the documentation to set it up.
2006/10/11, Victor, Dwight P CTR DISA PAC :
> Classification: UNCLASSIFIED
> Caveats: NONE
>
> Hi Eriks,
>
> Thanks for the tip regarding Tumbleweed & WebCullis. I'll definitely have
> to do some research.
>
> Paul,
>
> One of my web searches pulled up the fact that HP-UX has a OCSP enabled
> version of mod_ssl. Seems to be a lucky break for you. Hope that works
> out.
>
> I have experienced a large memory hit anytime certificate checking is
> performed against the CRLs (some of which are 13 MB in size) in the range of
> 75MB per Apache server instance. Luckily we aren't that busy, or we would
> definitely be feeling the pain.
>
> BTW, I've been reading a bit about mod_nss
> (http://directory.fedora.redhat.com/wiki/Mod_nss). This module sounds
> interesting, but it isn't supported on HP-UX. I'll have to give it a try
> and I'll let the list know the results (if I can find some time to play with
> it).
> Thanks again,
>
> Dwight...
>
> ---
> Dwight Victor, CISSP (Contractor)
> EMAIL: dwight.victor.ctr@disa.mil
> SMAIL: victord@pac.disa.smil.mil
> TEL: (808) 653-3677 ext 229
>
> -----Original Message-----
> From: owner-modssl-users@modssl.org [mailto:owner-modssl-users@modssl.org]
> Sent: Wednesday, October 11, 2006 10:55 AM
> To: modssl-users@modssl.org
> Subject: RE: OCSP? (UNCLASSIFIED)
>
>
> Thanks Eriks, appreciate the info. We are using HP-UX, so the Tumbleweed
> solution won't work for us. We do have an HP version of Apache that has the
> OCSP mod of mod_ssl, but we just installed it (today) and haven't had a
> chance to look at the documentation yet. Will post back and let you know
> what we found out. Thanks again.
>
> Paul
>
>
> Richters, Eriks A wrote:
> >
> > I went down this road a few months ago. Someone wrote a patch that
> > would add OCSP client functionality to Apache, but the patch never got
> > folded into the Apache mainline code. We spent a bit of effort trying
> > to get the patch to work with our version of Apache with no luck.
> > There are two products from commercial organizations out there that
> > can help. One is from Tumbleweed, called Server Validator. It's
> > pricey about $2000 per server, but works pretty well. Its very easy to
> > install and configure and has some nice features for supporting OCSP
> > and failing over to CRLs. It is supported on several platforms.
> > The other product is called WebCullis from the organization that used
> > to be Orion Security. (Orion Security has since been bought by
> > Entrust.) It used to be under the GPL, which was nice. At the time,
> > they only had a version for Windows and Intel based Solaris.
> > I hope this helps.
> >
> > -----Original Message-----
> > From: owner-modssl-users@modssl.org
> > [mailto:owner-modssl-users@modssl.org] On Behalf Of pbains
> > Sent: Wednesday, October 11, 2006 4:32 PM
> > To: modssl-users@modssl.org
> > Subject: Re: OCSP? (UNCLASSIFIED)
> >
> >
> > My organization is headed down this road after experiencing
> > performance degradation from checking large CRLs. As we come up with a
> > solution, will post what I find out. Alternatively, if you have any
> > information, would appreciate it, thanks!
> >
> > Paul
> >
> >
> > Victor, Dwight P CTR DISA PAC wrote:
> >>
> >> Classification: UNCLASSIFIED
> >> Caveats: NONE
> >>
> >>
> >> Hello List!
> >>
> >> Has anyone had any experience/success with using mod_ssl + Apache v2
> > to
> >> query an OCSP responder regarding the status of an end-user provided
> >> certificate and allow/deny access based on the response? Any tips,
> >> suggestions, discussion would be appreciated.
> >>
> >> Best Regards,
> >>
> >> Dwight...
> >>
> >> ---
> >> Dwight Victor, CISSP (Contractor)
> >> Systems Administrator / Webmaster
> >> General Dynamics C4 Systems
> >> EMAIL: dwight.victor.ctr@disa.mil
> >> TEL: (808) 653-3677 ext 229
> >>
> >> Classification: UNCLASSIFIED
> >> Caveats: NONE
> >>
> >>
> >>
> >>
> >
> > --
> > View this message in context:
> > http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.htm l#a6764147
> > Sent from the mod_ssl - Users mailing list archive at Nabble.com.
> >
> > ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
> >
> > ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.htm l#a6764600
> Sent from the mod_ssl - Users mailing list archive at Nabble.com.
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
> Classification: UNCLASSIFIED
> Caveats: NONE
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
RE: OCSP? (UNCLASSIFIED)
am 12.10.2006 20:00:51 von Dwight.Victor.ctr
Classification: UNCLASSIFIED=20
Caveats: NONE
Thank you Fran=E7ois!
---
Dwight Victor, CISSP (Contractor)
TEL: (808) 653-3677 ext 229
-----Original Message-----
From: owner-modssl-users@modssl.org =
[mailto:owner-modssl-users@modssl.org]=20
Sent: Wednesday, October 11, 2006 10:14 PM
To: modssl-users@modssl.org
Subject: Re: OCSP? (UNCLASSIFIED)
http://www.belgium.be/zip/eid_authentication_proxy_fr.html
You will find there an updated version of mod-ssl including OCSP check =
as
well as the documentation to set it up.
2006/10/11, Victor, Dwight P CTR DISA PAC :
> Classification: UNCLASSIFIED
> Caveats: NONE
>
> Hi Eriks,
>
> Thanks for the tip regarding Tumbleweed & WebCullis. I'll definitely =
> have to do some research.
>
> Paul,
>
> One of my web searches pulled up the fact that HP-UX has a OCSP=20
> enabled version of mod_ssl. Seems to be a lucky break for you. Hope =
> that works out.
>
> I have experienced a large memory hit anytime certificate checking is =
> performed against the CRLs (some of which are 13 MB in size) in the=20
> range of 75MB per Apache server instance. Luckily we aren't that=20
> busy, or we would definitely be feeling the pain.
>
> BTW, I've been reading a bit about mod_nss=20
> (http://directory.fedora.redhat.com/wiki/Mod_nss). This module =
sounds=20
> interesting, but it isn't supported on HP-UX. I'll have to give it a =
> try and I'll let the list know the results (if I can find some time =
to=20
> play with it).
> Thanks again,
>
> Dwight...
>
> ---
> Dwight Victor, CISSP (Contractor)
> EMAIL: dwight.victor.ctr@disa.mil
> SMAIL: victord@pac.disa.smil.mil
> TEL: (808) 653-3677 ext 229
>
> -----Original Message-----
> From: owner-modssl-users@modssl.org=20
> [mailto:owner-modssl-users@modssl.org]
> Sent: Wednesday, October 11, 2006 10:55 AM
> To: modssl-users@modssl.org
> Subject: RE: OCSP? (UNCLASSIFIED)
>
>
> Thanks Eriks, appreciate the info. We are using HP-UX, so the=20
> Tumbleweed solution won't work for us. We do have an HP version of=20
> Apache that has the OCSP mod of mod_ssl, but we just installed it=20
> (today) and haven't had a chance to look at the documentation yet.=20
> Will post back and let you know what we found out. Thanks again.
>
> Paul
>
>
> Richters, Eriks A wrote:
> >
> > I went down this road a few months ago. Someone wrote a patch that =
> > would add OCSP client functionality to Apache, but the patch never=20
> > got folded into the Apache mainline code. We spent a bit of effort =
> > trying to get the patch to work with our version of Apache with no =
luck.
> > There are two products from commercial organizations out there that =
> > can help. One is from Tumbleweed, called Server Validator. It's=20
> > pricey about $2000 per server, but works pretty well. Its very easy =
> > to install and configure and has some nice features for supporting=20
> > OCSP and failing over to CRLs. It is supported on several =
platforms.
> > The other product is called WebCullis from the organization that=20
> > used to be Orion Security. (Orion Security has since been bought by
> > Entrust.) It used to be under the GPL, which was nice. At the =
time,=20
> > they only had a version for Windows and Intel based Solaris.
> > I hope this helps.
> >
> > -----Original Message-----
> > From: owner-modssl-users@modssl.org
> > [mailto:owner-modssl-users@modssl.org] On Behalf Of pbains
> > Sent: Wednesday, October 11, 2006 4:32 PM
> > To: modssl-users@modssl.org
> > Subject: Re: OCSP? (UNCLASSIFIED)
> >
> >
> > My organization is headed down this road after experiencing=20
> > performance degradation from checking large CRLs. As we come up =
with=20
> > a solution, will post what I find out. Alternatively, if you have=20
> > any information, would appreciate it, thanks!
> >
> > Paul
> >
> >
> > Victor, Dwight P CTR DISA PAC wrote:
> >>
> >> Classification: UNCLASSIFIED
> >> Caveats: NONE
> >>
> >>
> >> Hello List!
> >>
> >> Has anyone had any experience/success with using mod_ssl + Apache=20
> >> v2
> > to
> >> query an OCSP responder regarding the status of an end-user=20
> >> provided certificate and allow/deny access based on the response? =
> >> Any tips, suggestions, discussion would be appreciated.
> >>
> >> Best Regards,
> >>
> >> Dwight...
> >>
> >> ---
> >> Dwight Victor, CISSP (Contractor)
> >> Systems Administrator / Webmaster
> >> General Dynamics C4 Systems
> >> EMAIL: dwight.victor.ctr@disa.mil
> >> TEL: (808) 653-3677 ext 229
> >>
> >> Classification: UNCLASSIFIED
> >> Caveats: NONE
> >>
> >>
> >>
> >>
> >
> > --
> > View this message in context:
> > =
http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.htm l#a67641
> > 47 Sent from the mod_ssl - Users mailing list archive at =
Nabble.com.
> >
> > =
____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) =
www.modssl.org
> > User Support Mailing List =
modssl-users@modssl.org
> > Automated List Manager =
majordomo@modssl.org
> >
> > =
____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) =
www.modssl.org
> > User Support Mailing List =
modssl-users@modssl.org
> > Automated List Manager =
majordomo@modssl.org
> >
> >
>
> --
> View this message in context:
> =
http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.htm l#a6764600
> Sent from the mod_ssl - Users mailing list archive at Nabble.com.
>
> =
____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) =
www.modssl.org
> User Support Mailing List =
modssl-users@modssl.org
> Automated List Manager =
majordomo@modssl.org
> Classification: UNCLASSIFIED
> Caveats: NONE
>
> =
____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) =
www.modssl.org
> User Support Mailing List =
modssl-users@modssl.org
> Automated List Manager =
majordomo@modssl.org
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
Classification: UNCLASSIFIED=20
Caveats: NONE
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
Re: OCSP? (UNCLASSIFIED)
am 12.10.2006 21:43:46 von pbains
Thank you François! After reading the documentation and looking at the=
Apache
developer's notes, I am still not clear on how to specify an OCSP responder
if the responder URI is not included in the responder's certificate. From
the Apache developer's notes, I think it is via a configuration option in
ssl.conf, but I have not seen an example, only misc notes. Does anyone know
how to do this? We would like to be able to specify a specific responder if
the URI is not contained in the server's cert. Thanks in advance.
Paul
François Soumillion wrote:
>=20
> http://www.belgium.be/zip/eid_authentication_proxy_fr.html
>=20
> You will find there an updated version of mod-ssl including OCSP check
> as well as the documentation to set it up.
>=20
> 2006/10/11, Victor, Dwight P CTR DISA PAC :
>> Classification: UNCLASSIFIED
>> Caveats: NONE
>>
>> Hi Eriks,
>>
>> Thanks for the tip regarding Tumbleweed & WebCullis. I'll definitely
>> have
>> to do some research.
>>
>> Paul,
>>
>> One of my web searches pulled up the fact that HP-UX has a OCSP enabled
>> version of mod_ssl. Seems to be a lucky break for you. Hope that works
>> out.
>>
>> I have experienced a large memory hit anytime certificate checking is
>> performed against the CRLs (some of which are 13 MB in size) in the rang=
e
>> of
>> 75MB per Apache server instance. Luckily we aren't that busy, or we
>> would
>> definitely be feeling the pain.
>>
>> BTW, I've been reading a bit about mod_nss
>> (http://directory.fedora.redhat.com/wiki/Mod_nss). This module sounds
>> interesting, but it isn't supported on HP-UX. I'll have to give it a tr=
y
>> and I'll let the list know the results (if I can find some time to play
>> with
>> it).
>> Thanks again,
>>
>> Dwight...
>>
>> ---
>> Dwight Victor, CISSP (Contractor)
>> EMAIL: dwight.victor.ctr@disa.mil
>> SMAIL: victord@pac.disa.smil.mil
>> TEL: (808) 653-3677 ext 229
>>
>> -----Original Message-----
>> From: owner-modssl-users@modssl.org
>> [mailto:owner-modssl-users@modssl.org]
>> Sent: Wednesday, October 11, 2006 10:55 AM
>> To: modssl-users@modssl.org
>> Subject: RE: OCSP? (UNCLASSIFIED)
>>
>>
>> Thanks Eriks, appreciate the info. We are using HP-UX, so the Tumbleweed
>> solution won't work for us. We do have an HP version of Apache that has
>> the
>> OCSP mod of mod_ssl, but we just installed it (today) and haven't had a
>> chance to look at the documentation yet. Will post back and let you know
>> what we found out. Thanks again.
>>
>> Paul
>>
>>
>> Richters, Eriks A wrote:
>> >
>> > I went down this road a few months ago. Someone wrote a patch that
>> > would add OCSP client functionality to Apache, but the patch never got
>> > folded into the Apache mainline code. We spent a bit of effort trying
>> > to get the patch to work with our version of Apache with no luck.
>> > There are two products from commercial organizations out there that
>> > can help. One is from Tumbleweed, called Server Validator. It's
>> > pricey about $2000 per server, but works pretty well. Its very easy to
>> > install and configure and has some nice features for supporting OCSP
>> > and failing over to CRLs. It is supported on several platforms.
>> > The other product is called WebCullis from the organization that used
>> > to be Orion Security. (Orion Security has since been bought by
>> > Entrust.) It used to be under the GPL, which was nice. At the time,
>> > they only had a version for Windows and Intel based Solaris.
>> > I hope this helps.
>> >
>> > -----Original Message-----
>> > From: owner-modssl-users@modssl.org
>> > [mailto:owner-modssl-users@modssl.org] On Behalf Of pbains
>> > Sent: Wednesday, October 11, 2006 4:32 PM
>> > To: modssl-users@modssl.org
>> > Subject: Re: OCSP? (UNCLASSIFIED)
>> >
>> >
>> > My organization is headed down this road after experiencing
>> > performance degradation from checking large CRLs. As we come up with a
>> > solution, will post what I find out. Alternatively, if you have any
>> > information, would appreciate it, thanks!
>> >
>> > Paul
>> >
>> >
>> > Victor, Dwight P CTR DISA PAC wrote:
>> >>
>> >> Classification: UNCLASSIFIED
>> >> Caveats: NONE
>> >>
>> >>
>> >> Hello List!
>> >>
>> >> Has anyone had any experience/success with using mod_ssl + Apache v2
>> > to
>> >> query an OCSP responder regarding the status of an end-user provided
>> >> certificate and allow/deny access based on the response? Any tips,
>> >> suggestions, discussion would be appreciated.
>> >>
>> >> Best Regards,
>> >>
>> >> Dwight...
>> >>
>> >> ---
>> >> Dwight Victor, CISSP (Contractor)
>> >> Systems Administrator / Webmaster
>> >> General Dynamics C4 Systems
>> >> EMAIL: dwight.victor.ctr@disa.mil
>> >> TEL: (808) 653-3677 ext 229
>> >>
>> >> Classification: UNCLASSIFIED
>> >> Caveats: NONE
>> >>
>> >>
>> >>
>> >>
>> >
>> > --
>> > View this message in context:
>> > http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.htm l#a6764147
>> > Sent from the mod_ssl - Users mailing list archive at Nabble.com.
>> >
>> > ____________________________________________________________ __________
>> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>> > User Support Mailing List modssl-users@modssl.org
>> > Automated List Manager majordomo@modssl.org
>> >
>> > ____________________________________________________________ __________
>> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>> > User Support Mailing List modssl-users@modssl.org
>> > Automated List Manager majordomo@modssl.org
>> >
>> >
>>
>> --
>> View this message in context:
>> http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.htm l#a6764600
>> Sent from the mod_ssl - Users mailing list archive at Nabble.com.
>>
>> ____________________________________________________________ __________
>> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>> User Support Mailing List modssl-users@modssl.org
>> Automated List Manager majordomo@modssl.org
>> Classification: UNCLASSIFIED
>> Caveats: NONE
>>
>> ____________________________________________________________ __________
>> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>> User Support Mailing List modssl-users@modssl.org
>> Automated List Manager majordomo@modssl.org
>>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>=20
>=20
--=20
View this message in context: http://www.nabble.com/OCSP--%28UNCLASSIFIED%2=
9-tf1638361.html#a6783252
Sent from the mod_ssl - Users mailing list archive at Nabble.com.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org