httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: mod_ssl OCSP tuning (Re: T&R of 2.3.10)
Date Mon, 17 Jan 2011 13:39:11 GMT
On Sun, Jan 16, 2011 at 11:34:29AM +0100, Kaspar Brand wrote:
> On 13.12.2010 15:24, Jim Jagielski wrote:
> > At this late in the game, I would prefer to do this post-2.3.10...
> > safer that way.
> 
> Polite reminder, according to [1]... :-) I feel it's important because
> it addresses PR 49784 and a few additional improvements for the OCSP
> checking code (for client auth).
> 
> Patch v2 from December is attached again, for the sake of easier reference.

Thanks a lot for the patch & the prod...

I've merged the config options changes with some minor tweaks (OpenSSL 
seems to stomp on the OCSP_* namespace so I renamed the macros):
 
  http://svn.apache.org/viewvc?rev=1059917&view=rev

w.r.t. the change to skip OCSP validation for valid self-signed certs, I 
brought this up a while back:

http://www.mail-archive.com/dev@httpd.apache.org/msg38849.html

and Stephen said it probably be configurable.  Has common practice 
evolved here such that hard-coding the less strict behaviour is 
reasonable?

Regards, Joe

Mime
View raw message