OCSP addition

OCSP addition

am 28.04.2004 16:22:58 von Marc Stern

This is a multipart message in MIME format.
--=_alternative 004F22CAC1256E84_=
Content-Type: text/plain; charset="us-ascii"

Hello,

I plan to add OCSP support to modssl (and also enhance CRL support - see
the end of the e-mail).
I have the code for the OCSP check, but I'd like to check the integration
with everybody, as I will give the code back to you - if you're
interesting in it :-)

Here is what I currently plan:
1. Add a parameter "UseOCSP" in the config file
2. In function "ssl_callback_SSLVerify( )", replace the call to
"ssl_callback_SSLVerify_CRL( )" by a call to a new function
"ssl_callback_SSLVerify_Validity( )", with exactly the same parameters
3. In "ssl_callback_SSLVerify_Validity( )":
- if the parameter "UseOCSP" is on, try an OCSP check
- if the OCSP check failed because the certificate is revoked => return
error
- if the OCSP check succedded => return ok ("ok" is an input parameter,
don't know what it is exactly)
- call "ssl_callback_SSLVerify_CRL( )" and return result

Do you see any problem with that ?
Is somebody interesting in testing that code, or even work on it ?

After that step, I will also add CRL automatic download. I will describe
this in another e-mail.

Marc

--=_alternative 004F22CAC1256E84_=
Content-Type: text/html; charset="us-ascii"



Hello,



I plan to add OCSP support to modssl (and also enhance CRL support - see the end of the e-mail).

I have the code for the OCSP check, but I'd like to check the integration with everybody, as I will give the code back to you - if you're interesting in it :-)



Here is what I currently plan:

1. Add a parameter "UseOCSP" in the config file

2. In function "ssl_callback_SSLVerify( )", replace the call to "ssl_callback_SSLVerify_CRL( )" by a call to a new function "ssl_callback_SSLVerify_Validity( )", with exactly the same parameters

3. In "ssl_callback_SSLVerify_Validity( )":

  - if the parameter "UseOCSP" is on, try an OCSP check

  - if the OCSP check failed because the certificate is revoked => return error

  - if the OCSP check succedded => return ok ("ok" is an input parameter, don't know what it is exactly)

  - call  "ssl_callback_SSLVerify_CRL( )" and return result



Do you see any problem with that ?

Is somebody interesting in testing that code, or even work on it ?



After that step, I will also add CRL automatic download. I will describe this in another e-mail.



Marc


--=_alternative 004F22CAC1256E84_=--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org