|
»
»
OCSP? (UNCLASSIFIED)
|
View:
New views
8 Messages
—
Rating Filter:
Alert me
|
 |
OCSP? (UNCLASSIFIED)
by Victor, Dwight P CTR DISA PAC
::
Rate this Message:
Classification: UNCLASSIFIED
Caveats: NONE Hello List! Has anyone had any experience/success with using mod_ssl + Apache v2 to query an OCSP responder regarding the status of an end-user provided certificate and allow/deny access based on the response? Any tips, suggestions, discussion would be appreciated. Best Regards, Dwight... --- Dwight Victor, CISSP (Contractor) Systems Administrator / Webmaster General Dynamics C4 Systems EMAIL: dwight.victor.ctr@... TEL: (808) 653-3677 ext 229 Classification: UNCLASSIFIED Caveats: NONE |
|
|
Re: OCSP? (UNCLASSIFIED)
by pbains
::
Rate this Message:
My organization is headed down this road after experiencing performance degradation from checking large CRLs. As we come up with a solution, will post what I find out. Alternatively, if you have any information, would appreciate it, thanks!
Paul
|
|
|
RE: OCSP? (UNCLASSIFIED)
by Richters, Eriks A
::
Rate this Message:
I went down this road a few months ago. Someone wrote a patch that
would add OCSP client functionality to Apache, but the patch never got folded into the Apache mainline code. We spent a bit of effort trying to get the patch to work with our version of Apache with no luck. There are two products from commercial organizations out there that can help. One is from Tumbleweed, called Server Validator. It's pricey about $2000 per server, but works pretty well. Its very easy to install and configure and has some nice features for supporting OCSP and failing over to CRLs. It is supported on several platforms. The other product is called WebCullis from the organization that used to be Orion Security. (Orion Security has since been bought by Entrust.) It used to be under the GPL, which was nice. At the time, they only had a version for Windows and Intel based Solaris. I hope this helps. -----Original Message----- From: owner-modssl-users@... [mailto:owner-modssl-users@...] On Behalf Of pbains Sent: Wednesday, October 11, 2006 4:32 PM To: modssl-users@... Subject: Re: OCSP? (UNCLASSIFIED) My organization is headed down this road after experiencing performance degradation from checking large CRLs. As we come up with a solution, will post what I find out. Alternatively, if you have any information, would appreciate it, thanks! Paul Victor, Dwight P CTR DISA PAC wrote: > > Classification: UNCLASSIFIED > Caveats: NONE > > > Hello List! > > Has anyone had any experience/success with using mod_ssl + Apache v2 to > query an OCSP responder regarding the status of an end-user provided > certificate and allow/deny access based on the response? Any tips, > suggestions, discussion would be appreciated. > > Best Regards, > > Dwight... > > --- > Dwight Victor, CISSP (Contractor) > Systems Administrator / Webmaster > General Dynamics C4 Systems > EMAIL: dwight.victor.ctr@... > TEL: (808) 653-3677 ext 229 > > Classification: UNCLASSIFIED > Caveats: NONE > > > > -- View this message in context: http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.html#a6764147 Sent from the mod_ssl - Users mailing list archive at Nabble.com. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@... Automated List Manager majordomo@... ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@... Automated List Manager majordomo@... |
|
|
RE: OCSP? (UNCLASSIFIED)
by pbains
::
Rate this Message:
Thanks Eriks, appreciate the info. We are using HP-UX, so the Tumbleweed solution won't work for us. We do have an HP version of Apache that has the OCSP mod of mod_ssl, but we just installed it (today) and haven't had a chance to look at the documentation yet. Will post back and let you know what we found out. Thanks again.
Paul
|
|
|
|
|
|
Re: OCSP? (UNCLASSIFIED)
by François Soumillion
::
Rate this Message:
http://www.belgium.be/zip/eid_authentication_proxy_fr.html
You will find there an updated version of mod-ssl including OCSP check as well as the documentation to set it up. 2006/10/11, Victor, Dwight P CTR DISA PAC <dwight.victor.ctr@...>: > Classification: UNCLASSIFIED > Caveats: NONE > > Hi Eriks, > > Thanks for the tip regarding Tumbleweed & WebCullis. I'll definitely have > to do some research. > > Paul, > > One of my web searches pulled up the fact that HP-UX has a OCSP enabled > version of mod_ssl. Seems to be a lucky break for you. Hope that works > out. > > I have experienced a large memory hit anytime certificate checking is > performed against the CRLs (some of which are 13 MB in size) in the range of > 75MB per Apache server instance. Luckily we aren't that busy, or we would > definitely be feeling the pain. > > BTW, I've been reading a bit about mod_nss > (http://directory.fedora.redhat.com/wiki/Mod_nss). This module sounds > interesting, but it isn't supported on HP-UX. I'll have to give it a try > and I'll let the list know the results (if I can find some time to play with > it). > Thanks again, > > Dwight... > > --- > Dwight Victor, CISSP (Contractor) > EMAIL: dwight.victor.ctr@... > SMAIL: victord@... > TEL: (808) 653-3677 ext 229 > > -----Original Message----- > From: owner-modssl-users@... [mailto:owner-modssl-users@...] > Sent: Wednesday, October 11, 2006 10:55 AM > To: modssl-users@... > Subject: RE: OCSP? (UNCLASSIFIED) > > > Thanks Eriks, appreciate the info. We are using HP-UX, so the Tumbleweed > solution won't work for us. We do have an HP version of Apache that has the > OCSP mod of mod_ssl, but we just installed it (today) and haven't had a > chance to look at the documentation yet. Will post back and let you know > what we found out. Thanks again. > > Paul > > > Richters, Eriks A wrote: > > > > I went down this road a few months ago. Someone wrote a patch that > > would add OCSP client functionality to Apache, but the patch never got > > folded into the Apache mainline code. We spent a bit of effort trying > > to get the patch to work with our version of Apache with no luck. > > There are two products from commercial organizations out there that > > can help. One is from Tumbleweed, called Server Validator. It's > > pricey about $2000 per server, but works pretty well. Its very easy to > > install and configure and has some nice features for supporting OCSP > > and failing over to CRLs. It is supported on several platforms. > > The other product is called WebCullis from the organization that used > > to be Orion Security. (Orion Security has since been bought by > > Entrust.) It used to be under the GPL, which was nice. At the time, > > they only had a version for Windows and Intel based Solaris. > > I hope this helps. > > > > -----Original Message----- > > From: owner-modssl-users@... > > [mailto:owner-modssl-users@...] On Behalf Of pbains > > Sent: Wednesday, October 11, 2006 4:32 PM > > To: modssl-users@... > > Subject: Re: OCSP? (UNCLASSIFIED) > > > > > > My organization is headed down this road after experiencing > > performance degradation from checking large CRLs. As we come up with a > > solution, will post what I find out. Alternatively, if you have any > > information, would appreciate it, thanks! > > > > Paul > > > > > > Victor, Dwight P CTR DISA PAC wrote: > >> > >> Classification: UNCLASSIFIED > >> Caveats: NONE > >> > >> > >> Hello List! > >> > >> Has anyone had any experience/success with using mod_ssl + Apache v2 > > to > >> query an OCSP responder regarding the status of an end-user provided > >> certificate and allow/deny access based on the response? Any tips, > >> suggestions, discussion would be appreciated. > >> > >> Best Regards, > >> > >> Dwight... > >> > >> --- > >> Dwight Victor, CISSP (Contractor) > >> Systems Administrator / Webmaster > >> General Dynamics C4 Systems > >> EMAIL: dwight.victor.ctr@... > >> TEL: (808) 653-3677 ext 229 > >> > >> Classification: UNCLASSIFIED > >> Caveats: NONE > >> > >> > >> > >> > > > > -- > > View this message in context: > > http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.html#a6764147 > > Sent from the mod_ssl - Users mailing list archive at Nabble.com. > > > > ______________________________________________________________________ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List modssl-users@... > > Automated List Manager majordomo@... > > > > ______________________________________________________________________ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List modssl-users@... > > Automated List Manager majordomo@... > > > > > > -- > View this message in context: > http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.html#a6764600 > Sent from the mod_ssl - Users mailing list archive at Nabble.com. > > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@... > Automated List Manager majordomo@... > Classification: UNCLASSIFIED > Caveats: NONE > > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@... > Automated List Manager majordomo@... > Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@... Automated List Manager majordomo@... |
|
|
|
|
|
Re: OCSP? (UNCLASSIFIED)
by pbains
::
Rate this Message:
Thank you François! After reading the documentation and looking at the Apache developer's notes, I am still not clear on how to specify an OCSP responder if the responder URI is not included in the responder's certificate. From the Apache developer's notes, I think it is via a configuration option in ssl.conf, but I have not seen an example, only misc notes. Does anyone know how to do this? We would like to be able to specify a specific responder if the URI is not contained in the server's cert. Thanks in advance.
Paul
|
smime.p7s (5K) 
| Free embeddable forum powered by Nabble | Forum Help |
