On May 11, 2004 02:23 am, Hotmail wrote:
> I plan to add OCSP support to mod_ssl.
Cool, this will probably make quite a few people happy(ier).
[snip]
> 3. In "ssl_callback_SSLVerify_Validity( )":
>
> - if the parameter "UseOCSP" is on, try an OCSP check
>
> - if the OCSP check failed because the certificate is revoked =>
> return error
>
> - if the OCSP check succeeded => return ok ("ok" is an input
> parameter, don't know what it is exactly)
>
> - call "ssl_callback_SSLVerify_CRL( )" and return result
>
> Do you see any problem with that ?
The only thing I can see is the blocking-vs-non-blocking semantics of the
CRL lookup. For "traditional" apache, this isn't a problem as you have an
entire child process dedicated to serving the current request, and so you
can block all you need to. However the desire to have the modules
plug-and-go in different MPM scenarios could run up against problems if
the CRL lookup is latent (which is quite likely, as the "raison d'etre"
for PKI and OSCP is to permit authentication *at a distance*). I assume
this wouldn't be a problem with kernel-threading, but it would definitely
cause speed-bumps for green/user-threading. Then again, maybe this isn't
a problem. In the worst case, it could be left as a known-limitation -
presumably anyone wanting to use OSCP on client-authentication already
has a fairly clear idea of the configuration and architecture they are
after and so can live with any additional rules you impose.
> Is somebody interesting in testing that code, or even work on it ?
I really can't help here, but I wish you the best with it.
Cheers,
Geoff
--
Geoff Thorpe
[EMAIL PROTECTED]
http://www.geoffthorpe.net/
