Thanks Eriks, appreciate the info. We are using HP-UX, so the Tumbleweed solution won't work for us. We do have an HP version of Apache that has the OCSP mod of mod_ssl, but we just installed it (today) and haven't had a chance to look at the documentation yet. Will post back and let you know what we found out. Thanks again.
Paul Richters, Eriks A wrote: > > I went down this road a few months ago. Someone wrote a patch that > would add OCSP client functionality to Apache, but the patch never got > folded into the Apache mainline code. We spent a bit of effort trying > to get the patch to work with our version of Apache with no luck. > There are two products from commercial organizations out there that can > help. One is from Tumbleweed, called Server Validator. It's pricey > about $2000 per server, but works pretty well. Its very easy to install > and configure and has some nice features for supporting OCSP and failing > over to CRLs. It is supported on several platforms. > The other product is called WebCullis from the organization that used to > be Orion Security. (Orion Security has since been bought by Entrust.) > It used to be under the GPL, which was nice. At the time, they only had > a version for Windows and Intel based Solaris. > I hope this helps. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of pbains > Sent: Wednesday, October 11, 2006 4:32 PM > To: [email protected] > Subject: Re: OCSP? (UNCLASSIFIED) > > > My organization is headed down this road after experiencing performance > degradation from checking large CRLs. As we come up with a solution, > will > post what I find out. Alternatively, if you have any information, would > appreciate it, thanks! > > Paul > > > Victor, Dwight P CTR DISA PAC wrote: >> >> Classification: UNCLASSIFIED >> Caveats: NONE >> >> >> Hello List! >> >> Has anyone had any experience/success with using mod_ssl + Apache v2 > to >> query an OCSP responder regarding the status of an end-user provided >> certificate and allow/deny access based on the response? Any tips, >> suggestions, discussion would be appreciated. >> >> Best Regards, >> >> Dwight... >> >> --- >> Dwight Victor, CISSP (Contractor) >> Systems Administrator / Webmaster >> General Dynamics C4 Systems >> EMAIL: [EMAIL PROTECTED] >> TEL: (808) 653-3677 ext 229 >> >> Classification: UNCLASSIFIED >> Caveats: NONE >> >> >> >> > > -- > View this message in context: > http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.html#a6764147 > Sent from the mod_ssl - Users mailing list archive at Nabble.com. > > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [email protected] > Automated List Manager [EMAIL PROTECTED] > > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [email protected] > Automated List Manager [EMAIL PROTECTED] > > -- View this message in context: http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.html#a6764600 Sent from the mod_ssl - Users mailing list archive at Nabble.com. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
