httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Meelis Roos <>
Subject OCSP validation of client leaf certificates only
Date Tue, 16 Jun 2015 14:18:56 GMT

We (Cybernetica AS) would like to add a feature to the Apache httpd mod_ssl 
module. This mail is about asking for advice and feasibility.

We have a client who has a probem with CA chains. They have a local CA, local 
CA issues client certificates. Local CA has working OCSP responder and the 
client certs have AIA extemsion with OCSP URL. The CA chain continues up to 
other organizations and at least one upper level subCA has no OCSP responder 
that can answer about its validity (Root CA has no OCSP for its client subca 

In this situation, it seems impossible to enable OCSP client certificate 
checking. If we enable SSLOCSPEnable, OCSP is required for all certs in the 
client-supplied chain up to trusted root. This is a problem with multiple 
popular browsers - at least Safari and Chrome send full cert chain from client 
cert to root cert, and it cannot be verified. Firefox sends cert chain only up 
to the CA advertised by mod_ssl and this works (buth they can not create a site 
working with single browser only).

So we propose to write a patch to mod_ssl to add a configuration option for 
OCSP to enable only leaf certificate checking, not the full chain (or checking 
up to toe CA advertised to clients, not the root CA) - similarly to 
"SSLCARevocationCheck leaf" (and please tell me if there is a better approach).

Now, my question - if we implement it accordingly to Apache coding conventions, 
is this a kind of feature that would be accepted to Apache httpd upstream?

Meelis Roos <>
security engineer
Cybernetica AS

View raw message