It's right ! The only thing i need to catch is the client email to perform
the search in ldap v2
directory, and the client certificate in der, to check if it's present in
the directory.
now i'm catching client email by ssl_var_lookup and i'm catching cert X509
in ssl_callback_verify, then i convert in a file der with i2d_X509(). How
can i take
client e mail and cert (during client auth) der by EAPI in a independent
module
ssl_ocsp_ldap.c ? Then i need to generate some kind of error in connection
or simply message warning if the cert is suspended, and i will try to submit
the module
abilitation to config file and to make the function ocsp compliant with IETF
document.
That's my work for graduation thesis in computer engeneering in University
of Modena
- Italy, so it's very important for me to have your approvation.
Thanks a lot !
-----Messaggio originale-----
Da: Ralf S. Engelschall <[EMAIL PROTECTED]>
A: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Data: gioved� 8 aprile 1999 20.06
Oggetto: Re: ocsp developing
>On Thu, Apr 08, 1999, Andrea e Luca Giacobazzi wrote:
>
>> Hi everybody, my name is Andrea Giacobazzi, and i'm developing a patch
for
>> mod_ssl exactly in function ssl_engine_kernel.c (look at labels "Giacob")
to
>> realize an ocsp responder to verify client certificate, during client
>> authentication. It works with LDAP directory v2 and look for the client
cert
>> in the directory: if it's present set ocsp status GOOD else set ocsp
status
>> SUSPENDED. you can change the dierctory name in ldapservers var.
>>
>> Anyone interested on it ? any hints ?
>>
>> I'd like to realize a complete ocsp responder for ldap, and also http
then,
>> compliant with IETF directives (see ocsp draft) and maybe include it in
>> mod_ssl. I'd like also to submit the activation of ocsp check to the
config
>> file of apache server: how is possible to do that?
>
>Looks interesting, but I see no reason why you've to patch such an OSCP
>responder service directly into mod_ssl. With the help of EAPI it should
be
>trivial to form an own mod_ocsp.c out of your code. When I see it
correctly,
>all you need is that I add an EAPI hook to ssl_callback_SSLVerify() which
>allows your module to be called while the certificate is verified by
mod_ssl.
>The whole processing then can be done entirely inside your mod_ocsp.c,
because
>it looks independent of mod_ssl/OpenSSL because it mainly deals with the
LDAP
>library, right? Even the ssl_var_lookup() function you use can still be
called
>via EAPI, of course.
> Ralf S. Engelschall
> [EMAIL PROTECTED]
> www.engelschall.com
>______________________________________________________________________
>Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/
>Official Support Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
>
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
