OCSP addition
am 28.04.2004 16:22:58 von Marc SternThis is a multipart message in MIME format.
--=_alternative 004F22CAC1256E84_=
Content-Type: text/plain; charset="us-ascii"
Hello,
I plan to add OCSP support to modssl (and also enhance CRL support - see
the end of the e-mail).
I have the code for the OCSP check, but I'd like to check the integration
with everybody, as I will give the code back to you - if you're
interesting in it :-)
Here is what I currently plan:
1. Add a parameter "UseOCSP" in the config file
2. In function "ssl_callback_SSLVerify( )", replace the call to
"ssl_callback_SSLVerify_CRL( )" by a call to a new function
"ssl_callback_SSLVerify_Validity( )", with exactly the same parameters
3. In "ssl_callback_SSLVerify_Validity( )":
- if the parameter "UseOCSP" is on, try an OCSP check
- if the OCSP check failed because the certificate is revoked => return
error
- if the OCSP check succedded => return ok ("ok" is an input parameter,
don't know what it is exactly)
- call "ssl_callback_SSLVerify_CRL( )" and return result
Do you see any problem with that ?
Is somebody interesting in testing that code, or even work on it ?
After that step, I will also add CRL automatic download. I will describe
this in another e-mail.
Marc
--=_alternative 004F22CAC1256E84_=
Content-Type: text/html; charset="us-ascii"
Hello,
I plan to add OCSP support to modssl (and also enhance CRL support - see the end of the e-mail).
I have the code for the OCSP check, but I'd like to check the integration with everybody, as I will give the code back to you - if you're interesting in it :-)
Here is what I currently plan:
1. Add a parameter "UseOCSP" in the config file
2. In function "ssl_callback_SSLVerify( )", replace the call to "ssl_callback_SSLVerify_CRL( )" by a call to a new function "ssl_callback_SSLVerify_Validity( )", with exactly the same parameters
3. In "ssl_callback_SSLVerify_Validity( )":
- if the parameter "UseOCSP" is on, try an OCSP check
- if the OCSP check failed because the certificate is revoked => return error
- if the OCSP check succedded => return ok ("ok" is an input parameter, don't know what it is exactly)
- call "ssl_callback_SSLVerify_CRL( )" and return result
Do you see any problem with that ?
Is somebody interesting in testing that code, or even work on it ?
After that step, I will also add CRL automatic download. I will describe this in another e-mail.
Marc
--=_alternative 004F22CAC1256E84_=--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org