FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 08-12-2008, 04:20 AM
Mike Carroll
 
Default Fedora-directory-users Digest, Vol 39, Issue 12

*
I'm sorry if I am screwing up my reply to your comment, but this is the first time I've gotten involved with a mailing list before.* To your comment Rob I think adding this in would be a really cool feature. Ever since that article showed up in bigadmin about integrating mod_nss into Apache it has created a lot of buzz within the department of defense because of the OCSP plug-in. The DoD currently has the largest PKI implementation in the world and key component is efficient, and easy, OCSP checking which mod_nss has the capability of doing (on paper at least: I still haven't gotten it to work in my dev enviornment) without dropping some cash to Tumbleweed and Corestreet. However, alot of the servers (and especially*desktop users) have to route their http traffic through a proxy server in order to go outside the network enclave. So I can definitly see the need for the ability to proxy OCSP traffic.
*
Also, on a side note...but where you the one who responded to my support question to Red Hat on this...they gave me the same answer

Mike Carroll wrote:
> I've currently configured mod_nss-1.0.7 to replace mod_ssl in apache
> 2.2.9 and there is a configuration paramater nss.conf,
> NSSOCSPDefaultURL, where you can specfic the URL for an ocsp server. In
> order to route traffic out-bound from the server we have to route all
> http traffic through a proxy server. However, the documentation has
> been vague on this point and looking at mod_ocsp.c doesn't give me a lot
> of hope eaither (Although I am not a C coder). So my question is it
> possible to route OCSP trafficfrom mod_nss through an http proxy server?
> if so how?

Unfortunately, no.

Right now mod_nss relies on the built-in NSS OCSP client which is
relatively feature-poor. I had worked on curl integration at one point
long ago but never got it to to a point where I was satisfied with its
quality. I can see about reviving this code, if
I can find it, to see
what state it is in, perhaps as an experimental feature.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20080810/e8eb83cb/smime.bin






--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 

Thread Tools




All times are GMT. The time now is 05:57 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org