httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Baranski <>
Subject [users@httpd] OCSP / mod_ssl question
Date Tue, 13 Mar 2018 15:17:03 GMT

I noticed when we turn SSLOCSPEnable on, mod_ssl tries to validate the entire certificate
chain using OCSP (as the docs already clearly state). Consider the following scenario:

Root CA > Intermediate CA > Client 1
Client 1 OCSP response "good", Intermediate CA has no OCSP URI, validation fails and apache

When using openssl cmd line I can request validation on *just* the client certificate without
having a second implicit OCSP request made on the Intermediate CA.

It seems this is done on purpose, but I want to understand better why? Also is it controllable
(meaning tell apache only make the OCSP request on the client certificate)?

Any input would be appreciated.


View raw message