httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 41123] - Support of OCSP in mod_ssl (rewritten patch from bug #31383)
Date Thu, 29 Nov 2007 12:14:18 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41123>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41123





------- Additional Comments From marc.stern@approach.be  2007-11-29 04:14 -------
(In reply to comment #40)
> Is it at all desirable to be doing OCSP validation of every cert in the chain,
> including whatever root CA?
> It would be simple enough to only do the OCSP validation for the actual peer
> cert.
If you compromise the intermediate certificate, you could create a fake OCSP
server, with responses that will be accepted by Apache. The only way to ensure
the OCSP response is valid is to validate its certificate, and the same up to
the root.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message