I'm sorry if I am screwing up my reply to your comment, but this is the first time I've gotten involved with a mailing list before.* To your comment Rob I think adding this in would be a really cool feature. Ever since that article showed up in bigadmin about integrating mod_nss into Apache it has created a lot of buzz within the department of defense because of the OCSP plug-in. The DoD currently has the largest PKI implementation in the world and key component is efficient, and easy, OCSP checking which mod_nss has the capability of doing (on paper at least: I still haven't gotten it to work in my dev enviornment) without dropping some cash to Tumbleweed and Corestreet. However, alot of the servers (and especially*desktop users) have to route their http traffic through a proxy server in order to go outside the network enclave. So I can definitly see the need for the ability to proxy OCSP traffic.
Also, on a side note...but where you the one who responded to my support question to Red Hat on this...they gave me the same answer
Mike Carroll wrote:
> I've currently configured mod_nss-1.0.7 to replace mod_ssl in apache
> 2.2.9 and there is a configuration paramater nss.conf,
> NSSOCSPDefaultURL, where you can specfic the URL for an ocsp server. In
> order to route traffic out-bound from the server we have to route all
> http traffic through a proxy server. However, the documentation has
> been vague on this point and looking at mod_ocsp.c doesn't give me a lot
> of hope eaither (Although I am not a C coder). So my question is it
> possible to route OCSP trafficfrom mod_nss through an http proxy server?
> if so how?
Right now mod_nss relies on the built-in NSS OCSP client which is
relatively feature-poor. I had worked on curl integration at one point
long ago but never got it to to a point where I was satisfied with its
quality. I can see about reviving this code, if
I can find it, to see
what state it is in, perhaps as an experimental feature.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20080810/e8eb83cb/smime.bin
Fedora-directory-users mailing list