httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <>
Subject Re: mod_ssl OCSP questions
Date Fri, 30 Nov 2007 12:25:42 GMT
Marc Stern wrote:
>>> c) Steve mentioned some responders don't accept requests with
>>> nonces.  What is a sane default?  Send nonces (more secure), or not
>>> (better interop).  From reading the RFC it looks like mod_ssl should
>>> also be checking the validity times from the OCSP response, which
>>> would help, I guess
>> I'll check how we are using the API. There are some OCSP helper
>> functions in OpenSSL which check the appropriate times and allow a
>> configurable "skew" for cases where clocks are inaccurately set. How
>> much skew to allow in practice may again depend on local policy.
> I agree.
> If using a nonce, there is no need to check the date. If not, you have
> to specify the time delta to accept

Although a nonce supporting responder avoids replay attacks I'd say we
always need to check the date in case a responder fault result in it
producing status information with an invalid date.

I've seen real world examples where stale information was being returned
by a responder.

Dr Stephen N. Henson.
Core developer of the   OpenSSL project:
Freelance consultant see:
Email:, PGP key: via homepage.

View raw message