[Fedora-directory-users] Re: Fedora-directory-users Digest, Vol 39, Issue 12

Mike Carroll tycoon1_98 at yahoo.com
Tue Aug 12 04:20:58 UTC 2008 

 
I'm sorry if I am screwing up my reply to your comment, but this is the first time I've gotten involved with a mailing list before.  To your comment Rob I think adding this in would be a really cool feature. Ever since that article showed up in bigadmin about integrating mod_nss into Apache it has created a lot of buzz within the department of defense because of the OCSP plug-in. The DoD currently has the largest PKI implementation in the world and key component is efficient, and easy, OCSP checking which mod_nss has the capability of doing (on paper at least: I still haven't gotten it to work in my dev enviornment) without dropping some cash to Tumbleweed and Corestreet. However, alot of the servers (and especially desktop users) have to route their http traffic through a proxy server in order to go outside the network enclave. So I can definitly see the need for the ability to proxy OCSP traffic. 
 
Also, on a side note...but where you the one who responded to my support question to Red Hat on this...they gave me the same answer :) 

Mike Carroll wrote:
> I've currently configured mod_nss-1.0.7 to replace mod_ssl in apache 
> 2.2.9 and there is a configuration paramater nss.conf, 
> NSSOCSPDefaultURL, where you can specfic the URL for an ocsp server. In 
> order to route traffic out-bound from the server we have to route all 
> http traffic through a proxy server. However, the documentation has 
> been vague on this point and looking at mod_ocsp.c doesn't give me a lot 
> of hope eaither (Although I am not a C coder). So my question is it 
> possible to route OCSP trafficfrom mod_nss through an http proxy server? 
> if so how?

Unfortunately, no.

Right now mod_nss relies on the built-in NSS OCSP client which is 
relatively feature-poor. I had worked on curl integration at one point 
long ago but never got it to to a point where I was satisfied with its 
quality. I can see about reviving this code, if I can find it, to see 
what state it is in, perhaps as an experimental feature.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20080810/e8eb83cb/smime.bin


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20080811/f75be5ec/attachment.html>

More information about the 389-users mailing list