httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Baranski <jeff.baran...@outlook.com>
Subject [users@httpd] OCSP / mod_ssl question
Date Tue, 13 Mar 2018 15:17:03 GMT
Hi,

I noticed when we turn SSLOCSPEnable on, mod_ssl tries to validate the entire certificate
chain using OCSP (as the docs already clearly state). Consider the following scenario:

Root CA > Intermediate CA > Client 1
Client 1 OCSP response "good", Intermediate CA has no OCSP URI, validation fails and apache
complains.

When using openssl cmd line I can request validation on *just* the client certificate without
having a second implicit OCSP request made on the Intermediate CA.

It seems this is done on purpose, but I want to understand better why? Also is it controllable
(meaning tell apache only make the OCSP request on the client certificate)?

Any input would be appreciated.

Thanks,
Jeff

Mime
View raw message