Smith, Albert L CTR OSD OUSD ATL (US) wrote:
Thanks for the quick answer Rob.
Also - My website is servicing users spread among 60-ish CA's.
Do I understand this correctly to mean that if I load the CRL's into the NSS db
nightly, my website will always do a revocation check against the CRL in the
NSS DB, and only go to OCSP if the CRL is missing? What is the expected
behavior if the CRL exists in the NSS DB but is stale?
Not exactly. NSS will check the CRL for the certificate. If it is not
there it will check OCSP. If that is successful the mod_nss will process
the request.
I'm not 100% sure of this but I believe that NSS will use the CRL it has
regardless of the Next Update value.
mod_revocator - I looked at that but decided to write a Perl program to gather
all of the CRL's nightly and load them into the NSS DB. This is because I had
to do that anyway because of our disconnected dev/test networks.
Ok, cool.
rob
Thank you for your attention,
-Albert Smith
Infrastructure Team
OUSD(AT&L) eBusiness Center
703 571-3015
-----Original Message-----
From: Rob Crittenden [mailto:[email protected]]
Sent: Thursday, July 28, 2016 10:00 AM
To: Smith, Albert L CTR OSD OUSD ATL (US); [email protected]
Subject: [Non-DoD Source] Re: [Mod_nss-list] Revoc check via CRL and OCSP
Smith, Albert L CTR OSD OUSD ATL (US) wrote:
Hello,
I'm running RHEL6 with "httpd-2.2.15-53" and "mod_nss-1.0.10-6".
My webserver is currently configured to do revocation checking vi OCSP and is
working fine, except when we encounter failures with the OCSP service provider.
I would like to configure my webserver to check OCSP first, and in the
case of a failure, use CRL files (either local files on disk or CRL
files loaded into the NSS database) as a secondary. (If OCSP then CRL
isn't possible, is CRL then OCSP possible?)
Is this possible, and if it is what are the relevant NSS directives to set?
NSS will check a CRL automatically if one has been loaded (see crlutil).
It does this before doing an OCSP check.
The behavior you're seeing won't really change though. If the OCSP check cannot
be made then the request will fail. There is no configuration setting to tune
that.
For automated CRL handling you might want to look at mod_revocator, another
Apache module. This will retrieve and load updated CRLs without requiring a
restart of Apache.
rob
_______________________________________________
Mod_nss-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/mod_nss-list
