So on all valid certificates mod_nss will check the CRL and also OCSP, even when the relevant CRL exists in the database? I assumed that if the client cert serial number isn't found in the CRL then mod_nss would accept the cert as "good" and process the request - and only move on to OCSP if the relevant CRL doesn't exist in the nss db?
Thank you for your attention, -Albert Smith Infrastructure Team OUSD(AT&L) eBusiness Center 703 571-3015 -----Original Message----- From: Rob Crittenden [mailto:[email protected]] Sent: Thursday, July 28, 2016 11:17 AM To: Smith, Albert L CTR OSD OUSD ATL (US); [email protected] Subject: Re: [Non-DoD Source] Re: [Mod_nss-list] Revoc check via CRL and OCSP Smith, Albert L CTR OSD OUSD ATL (US) wrote: > Thanks for the quick answer Rob. > > Also - My website is servicing users spread among 60-ish CA's. > > Do I understand this correctly to mean that if I load the CRL's into the NSS > db nightly, my website will always do a revocation check against the CRL in > the NSS DB, and only go to OCSP if the CRL is missing? What is the expected > behavior if the CRL exists in the NSS DB but is stale? Not exactly. NSS will check the CRL for the certificate. If it is not there it will check OCSP. If that is successful the mod_nss will process the request. I'm not 100% sure of this but I believe that NSS will use the CRL it has regardless of the Next Update value. > mod_revocator - I looked at that but decided to write a Perl program to > gather all of the CRL's nightly and load them into the NSS DB. This is > because I had to do that anyway because of our disconnected dev/test networks. Ok, cool. rob > > Thank you for your attention, > > -Albert Smith > Infrastructure Team > OUSD(AT&L) eBusiness Center > 703 571-3015 > > > -----Original Message----- > From: Rob Crittenden [mailto:[email protected]] > Sent: Thursday, July 28, 2016 10:00 AM > To: Smith, Albert L CTR OSD OUSD ATL (US); [email protected] > Subject: [Non-DoD Source] Re: [Mod_nss-list] Revoc check via CRL and > OCSP > > Smith, Albert L CTR OSD OUSD ATL (US) wrote: >> Hello, >> >> I'm running RHEL6 with "httpd-2.2.15-53" and "mod_nss-1.0.10-6". >> >> My webserver is currently configured to do revocation checking vi OCSP and >> is working fine, except when we encounter failures with the OCSP service >> provider. >> >> I would like to configure my webserver to check OCSP first, and in >> the case of a failure, use CRL files (either local files on disk or >> CRL files loaded into the NSS database) as a secondary. (If OCSP >> then CRL isn't possible, is CRL then OCSP possible?) >> >> Is this possible, and if it is what are the relevant NSS directives to set? > > NSS will check a CRL automatically if one has been loaded (see crlutil). > It does this before doing an OCSP check. > > The behavior you're seeing won't really change though. If the OCSP check > cannot be made then the request will fail. There is no configuration setting > to tune that. > > For automated CRL handling you might want to look at mod_revocator, another > Apache module. This will retrieve and load updated CRLs without requiring a > restart of Apache. > > rob >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Mod_nss-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/mod_nss-list
