Hello Davy,
I've a question about your patch for OCSP support :
OCSP URL is specified with "ocsp-url" option in configuration. It's OK
if you have only one CA in your PKI (and so only one OCSP responder) but
what happened if you have a real PKI with multiple CA (so potentially
more than one OCSP responder) ?
OCSP responder URI should be stored under AIA (Authority Information
Access) extension in each X509 certificate.
What about using AIA extension of each certs (and if it doesn't exist
why not the "ocsp-url" specified in the configuration) in order to
support multiple CA and multiple OCSP responders in a PKI ?
Regards
Davy MELINA a écrit :
Hi,
I don't know why the OCSP support is not included in the main source
of OpenVPN (i need to update the patch for the rc7), but i know
something:
- if your CRL (in flat file) is not up2date your OpenVPN will not crash
- if you decide to use OCSP server with OpenVPN (and my patch) and if
your OCSP server crash, your OpenVPN will be block.
For my experience, I build Two OCSPd behind LVS and i bypass this
problem.
What do you think about that ?
Regards,
Davy
Le 16 juin 08 à 22:52, Faidon Liambotis a écrit :
Hi,
In light of the Debian OpenSSL vulnerability, I was looking for a
way to efficiently check for revoked certificates.
Updating CRLs is one way but it's not exactly efficient.
I've found that someone has actually implemented OCSP for OpenVPN[1].
Is there any specific reason that this hasn't been merged?
I saw evidence on the openvpn-devel archives that this was submitted
almost a year ago but I didn't see any reviews or comments whatsoever.
James, perhaps this should be included in -rc9?
Regards,
Faidon
1: http://www.block64.net/
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
