I'm sorry if I am screwing up my reply to your comment, but this is the first time
I've gotten involved with a mailing list before. To your comment Rob I think adding
this in would be a really cool feature. Ever since that article showed up in bigadmin
about integrating mod_nss into Apache it has created a lot of buzz within the department
of defense because of the OCSP plug-in. The DoD currently has the largest PKI
implementation in the world and key component is efficient, and easy, OCSP checking which
mod_nss has the capability of doing (on paper at least: I still haven't gotten it to
work in my dev enviornment) without dropping some cash to Tumbleweed and Corestreet.
However, alot of the servers (and especially desktop users) have to route their http
traffic through a proxy server in order to go outside the network enclave. So I can
definitly see the need for the ability to proxy OCSP traffic.
Also, on a side note...but where you the one who responded to my support question to Red
Hat on this...they gave me the same answer :)
Mike Carroll wrote:
I've currently configured mod_nss-1.0.7 to replace mod_ssl in
2.2.9 and there is a configuration paramater nss.conf,
NSSOCSPDefaultURL, where you can specfic the URL for an ocsp server. In
order to route traffic out-bound from the server we have to route all
http traffic through a proxy server. However, the documentation has
been vague on this point and looking at mod_ocsp.c doesn't give me a lot
of hope eaither (Although I am not a C coder). So my question is it
possible to route OCSP trafficfrom mod_nss through an http proxy server?
if so how?
Right now mod_nss relies on the built-in NSS OCSP client which is
relatively feature-poor. I had worked on curl integration at one point
long ago but never got it to to a point where I was satisfied with its
quality. I can see about reviving this code, if I can find it, to see
what state it is in, perhaps as an experimental feature.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature