httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Marquess <marqu...@opensslfoundation.com>
Subject Re: mod_ssl OCSP tuning (Re: T&R of 2.3.10)
Date Mon, 17 Jan 2011 14:00:42 GMT
Joe Orton wrote:
> ...
> w.r.t. the change to skip OCSP validation for valid self-signed certs, I 
> brought this up a while back:
>
> http://www.mail-archive.com/dev@httpd.apache.org/msg38849.html
>
> and Stephen said it probably be configurable.  Has common practice 
> evolved here such that hard-coding the less strict behaviour is 
> reasonable?
>   

Are you referring to support for responders which sign responses using a
key which is trusted by some out of band means (such as with a
self-signed cert)?

The main OCSP responders in the U.S. DoD have been signing with a
self-signed cert for some time (an *expired* self-signed cert, no
less!).  Just recently I was checking an OCSP problem and noted that I
was getting responses signed by an intermediate (to the CA) certificate,
but since there any many such responders I can't be sure they are all
now doing that.

So, I'd like to see support for out-of-band responder keys.  As it is
I've had to hack in a fix to ignore the expired self-signed cert.

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877-673-6775
marquess@opensslfoundation.com


Mime
View raw message