httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: mod_ssl OCSP questions
Date Fri, 30 Nov 2007 15:23:21 GMT
Many thanks for the detailed response!  Everything taken on board, with 
one further question:

On Thu, Nov 29, 2007 at 09:35:40PM +0000, Dr Stephen Henson wrote:
...
> OpenSSL supports #1 and #2 directly so these should be automatic if the
> OpenSSL OCSP API has been used correctly.
> 
> A limited form of #3 is implemented in OpenSSL. A generalised version
> might be more appropriate in some circumstances but would need
> additional configuration options to implement.

Making the responder signature verification configurable in mod_ssl 
would just involve setting up a different set of trusted certs in an 
X509_STORE_CTX and passing that as the context parameter to 
OCSP_basic_verify(), right?  (When you say "OpenSSL supports...", I 
wonder if there is something more subtle here)

joe

Mime
View raw message