httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <>
Subject OCSP support and sub requests.
Date Fri, 19 Oct 2007 12:06:56 GMT
As Steve Marquess recently mentioned I've been working on a patch to
implement OCSP stapling support for mod_ssl.

The first version of OpenSSL which will support OCSP stapling will now
be 0.9.8h not 0.9.8g as originally announced.

It has been suggested a performing OCSP queries via the sub request
mechanism would be a good idea and I've been exploring this option.

For those not familiar with OCSP all a query entails is sending an http
request to a server using the POST (or occasionally GET) mechanism and
examining the response.

I've hit a few problems though.

I haven't found much documentation about how to use sub requests for
http: any pointers?

I would really need to include a configurable timeout on the sub request
so appropriate measures could be taken if the OCSP responder didn't erm
respond. Is that possible?

The main problem though is that adding a sub request is done via the
request_rec structure. In mod_ssl this doesn't seem to be available at
the time when it is needed. The OCSP query would need to be made during
the SSL/TLS handshake and the actual page requested is not known until
after the handshake is complete. Is there some way round this or an
alternative technique to make a sub request?

Dr Stephen N. Henson.
Core developer of the   OpenSSL project:
Freelance consultant see:
Email:, PGP key: via homepage.

View raw message