OCSP support added
am 24.09.2004 09:12:36 von Marc SternThis is a multipart message in MIME format.
--=_alternative 0028007DC1256F19_=
Content-Type: text/plain; charset="US-ASCII"
Fyi, I added support for certificate validation through OCSP, where the
OCSP server URI is contained in the certificate itself (following the
X.509 standard).
The patch is available on
http://issues.apache.org/bugzilla/show_bug.cgi?id=31383 (for 2.0.49, but
most of it is in separate files, thus it should be easy to add to 1.3).
The check is optional.
There is also a parameter to decide if the authentication fails or not
when the server cannot be reached.
The code allows conditional compilation (full code enclosed in #ifdef).
This was developed for the Belgium Government and distributed publicly
from January 2004. No bug has been reported since.
The code supports a proxy, although the option was not added in the config
file.
Another option in the config file could be to use a specified URI in case
it is not present in the certificate.
If you have any remarks about it, just send me an e-mail.
Marc Stern
CSC Computer Sciences Corporation Belgium
Security Solutions Group Manager / Network and System Architect
mobile: +32 (0)475 68 29 10 - Phone: +32 (0)2 714 74 91
e-mail: mstern@csc.com - fax: +32 (0)2 714 71 01
Hippokrateslaan,14 - B-1932 Sint-Stevens-Woluwe - Belgium
------------------------------------------------------------ ----------------------------
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit
written agreement or government initiative expressly permitting the use of
e-mail for such purpose.
------------------------------------------------------------ ----------------------------
--=_alternative 0028007DC1256F19_=
Content-Type: text/html; charset="US-ASCII"
Fyi, I added support for certificate
validation through OCSP, where the OCSP server URI is contained in the
certificate itself (following the X.509 standard).
The patch is available on http://issues.apache.org/bugzilla/show_bug.cgi?id=31383
(for 2.0.49, but most of it is in separate files, thus it should be easy
to add to 1.3).
The check is optional.
There is also a parameter to decide
if the authentication fails or not when the server cannot be reached.
The code allows conditional compilation
(full code enclosed in #ifdef).
This was developed for the Belgium Government
and distributed publicly from January 2004. No bug has been reported since.
The code supports a proxy, although
the option was not added in the config file.
Another option in the config file could
be to use a specified URI in case it is not present in the certificate.
If you have any remarks about it, just
send me an e-mail.
Marc Stern
CSC Computer
Sciences Corporation Belgium
Security Solutions Group Manager / Network and System Architect
mobile: +32 (0)475 68 29 10 - Phone: +32 (0)2
714 74 91
e-mail: mstern@csc.com - fax: +32 (0)2 714 71
01
Hippokrateslaan,14 - B-1932 Sint-Stevens-Woluwe -
Belgium
------------------------------------------------------------ ----------------------------
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit written
agreement or government initiative expressly permitting the use of e-mail
for such purpose.
------------------------------------------------------------ ----------------------------
--=_alternative 0028007DC1256F19_=--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org