httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Geoff Thorpe <>
Subject Re: OCSP addition
Date Tue, 11 May 2004 17:13:14 GMT
On May 11, 2004 02:23 am, Hotmail wrote:
> I plan to add OCSP support to mod_ssl.

Cool, this will probably make quite a few people happy(ier).

> 3. In "ssl_callback_SSLVerify_Validity( )":
>      - if the parameter "UseOCSP" is on, try an OCSP check
>      - if the OCSP check failed because the certificate is revoked =>
> return error
>      - if the OCSP check succeeded => return ok ("ok" is an input
> parameter, don't know what it is exactly)
>      - call "ssl_callback_SSLVerify_CRL( )" and return result
> Do you see any problem with that ?

The only thing I can see is the blocking-vs-non-blocking semantics of the 
CRL lookup. For "traditional" apache, this isn't a problem as you have an 
entire child process dedicated to serving the current request, and so you 
can block all you need to. However the desire to have the modules 
plug-and-go in different MPM scenarios could run up against problems if 
the CRL lookup is latent (which is quite likely, as the "raison d'etre" 
for PKI and OSCP is to permit authentication *at a distance*). I assume 
this wouldn't be a problem with kernel-threading, but it would definitely 
cause speed-bumps for green/user-threading. Then again, maybe this isn't 
a problem. In the worst case, it could be left as a known-limitation - 
presumably anyone wanting to use OSCP on client-authentication already 
has a fairly clear idea of the configuration and architecture they are 
after and so can live with any additional rules you impose.

> Is somebody interesting in testing that code, or even work on it ?

I really can't help here, but I wish you the best with it.

Geoff Thorpe

View raw message