Joe Orton wrote: > ... > w.r.t. the change to skip OCSP validation for valid self-signed certs, I > brought this up a while back: > > http://www.mail-archive.com/dev@httpd.apache.org/msg38849.html > > and Stephen said it probably be configurable. Has common practice > evolved here such that hard-coding the less strict behaviour is > reasonable? >
Are you referring to support for responders which sign responses using a key which is trusted by some out of band means (such as with a self-signed cert)? The main OCSP responders in the U.S. DoD have been signing with a self-signed cert for some time (an *expired* self-signed cert, no less!). Just recently I was checking an OCSP problem and noted that I was getting responses signed by an intermediate (to the CA) certificate, but since there any many such responders I can't be sure they are all now doing that. So, I'd like to see support for out-of-band responder keys. As it is I've had to hack in a fix to ignore the expired self-signed cert. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marqu...@opensslfoundation.com
