Andrea - � >�where is the best place to take value to compose a correct OCSP request >�and response, during client authentication and how ? > (values like X_509_NAME*, STACK*, EVP_MD*, EVP_PKEY* ....) >��I think to take them in function get_client_certificates in module s3_srvr.c and > �I'm trying to do it. Is that right ? � Hmm.��This�question has a complicated answer that�involves some� OpenSSL code that's currently being enhanced.� Nevertheless, let me give you my answer about how I'd integrate OCSP into the�OpenSSL� server code.� I'm sure others and particularly Stephen Henson�will have their own ideas about this. � The first part is easy.� No, I wouldn't say s3_srvr.c:get_client_certificate() is the right place to put the OCSP client call.� If you believe this belongs in the SSL code at all, then I'd argue a better place to put it would be with the functions that begin with the nest of verify routines that starts with ssl_cert.c:verify_cert_chain().� One approach would be to write your own callback (app_verify_callback, which is reached from the s->ctx). A more integrated approach would be to enhance the routine x509_vfy.c:X509_verify_cert().��After some fancy foot-work to build a cert chain, this routine boils down to yet another routine, x509_vfy.c:internal_verify().� Although X509_verify_cert() allows for the option of a per-context verify routine (and there's even a macro to initialize it), it never gets called (particulary not by the SSL code). The internal_verify routine does the x509-thing, e.g. check the signatures on the certs, and check the dates. � And then, on x509_vfy.c, line 392, there's a comment /* CRL CHECK */. *That's* the place I'd put the OCSP call.� � On the other hand, others might argue this kind of thing should be done at the application level, e.g. from within your Apache server.� If that'd be a help, we have a guy, John Rousseau, who's working on doing that right now.� Send mail to him at [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> . � >�How can i send the response to the browser Netscape or to another > �server Apache (OCSP client) ? �� I'm not quite sure what this question means.� If it means "When I do an OCSP query and I find the certificate has been revoked, how do I signal the client?"�then the answer depends on the protocol you're running.� If the protocol has an "Unauthorized" error, then that's what you should send. With HTTP you could pretty things up a little by translating the OCSP error information (if there is any) into some HTML, so the client would know just who disapproves of his or her certificate... � Hope this helps. � TT ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
