httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <>
Subject Re: OCSP stapling in mod_ssl - use as OCSP cache for client authentication
Date Wed, 16 Sep 2009 12:38:50 GMT
William A. Rowe, Jr. wrote:
> Dr Stephen Henson wrote:
>> First comment to list in general: any comments on what needs to be done to get
>> the OCSP stapling patch accepted?
> I had been under the impression, from reading the bug commentary too many
> times, that it was not vetting the CA chain from root to cert.
> It seems I misunderstood and this patch is ready for backport.  Please
> correct us if there are any other changes required to bless this code as
> 'production ready'/General Availability.

I may have missed something here but the OCSP stapling code doesn't appear to be
in trunk. The patch in:

doesn't apply cleanly any more, though the changes needed to get it working are
fairly trivial. I'm in the process of including an updated patch.

Nitpick: along the way I noticed the ocsp code in ssl_util_ocsp.c was updated to
support a configurable timeout (which was in the original stapling patch) but
the comment:

	/* Inherit the default I/O timeout. */

has been retained which isn't true any more.

Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute:
OpenSSL Core team:

View raw message