Hello,
I plan to add OCSP support to modssl (and also enhance CRL support - see the end of the e-mail).
I have the code for the OCSP check, but I'd like to check the integration with everybody, as I will give the code back to you - if you're interesting in it :-)
Here is what I currently plan:
1. Add a parameter "UseOCSP" in the config file
2. In function "ssl_callback_SSLVerify( )", replace the call to "ssl_callback_SSLVerify_CRL( )" by a call to a new function "ssl_callback_SSLVerify_Validity( )", with exactly the same parameters
3. In "ssl_callback_SSLVerify_Validity( )":
- if the parameter "UseOCSP" is on, try an OCSP check
- if the OCSP check failed because the certificate is revoked => return error
- if the OCSP check succedded => return ok ("ok" is an input parameter, don't know what it is exactly)
- call "ssl_callback_SSLVerify_CRL( )" and return result
Do you see any problem with that ?
Is somebody interesting in testing that code, or even work on it ?
After that step, I will also add CRL automatic download. I will describe this in another e-mail.
Marc
- OCSP addition Rich Salz
- Re: OCSP addition Matthias Loepfe
- Re: OCSP addition Rich Salz
- Re: OCSP addition Goetz Babin-Ebell
- Marc Stern
