As Steve Marquess recently mentioned I've been working on a patch to implement OCSP stapling support for mod_ssl.
The first version of OpenSSL which will support OCSP stapling will now be 0.9.8h not 0.9.8g as originally announced. It has been suggested a performing OCSP queries via the sub request mechanism would be a good idea and I've been exploring this option. For those not familiar with OCSP all a query entails is sending an http request to a server using the POST (or occasionally GET) mechanism and examining the response. I've hit a few problems though. I haven't found much documentation about how to use sub requests for http: any pointers? I would really need to include a configurable timeout on the sub request so appropriate measures could be taken if the OCSP responder didn't erm respond. Is that possible? The main problem though is that adding a sub request is done via the request_rec structure. In mod_ssl this doesn't seem to be available at the time when it is needed. The OCSP query would need to be made during the SSL/TLS handshake and the actual page requested is not known until after the handshake is complete. Is there some way round this or an alternative technique to make a sub request? Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage.
