Re: Fedora-directory-users Digest, Vol 39, Issue 12

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



?
I'm sorry if I am screwing up my reply to your comment, but this is the first time I've gotten involved with a mailing list before.? To your comment Rob I think adding this in would be a really cool feature. Ever since that article showed up in bigadmin about integrating mod_nss into Apache it has created a lot of buzz within the department of defense because of the OCSP plug-in. The DoD currently has the largest PKI implementation in the world and key component is efficient, and easy, OCSP checking which mod_nss has the capability of doing (on paper at least: I still haven't gotten it to work in my dev enviornment) without dropping some cash to Tumbleweed and Corestreet. However, alot of the servers (and especially?desktop users) have to route their http traffic through a proxy server in order to go outside the network enclave. So I can definitly see the need for the ability to proxy OCSP traffic. 
?
Also, on a side note...but where you the one who responded to my support question to Red Hat on this...they gave me the same answer :) 

Mike Carroll wrote:
> I've currently configured mod_nss-1.0.7 to replace mod_ssl in apache 
> 2.2.9 and there is a configuration paramater nss.conf, 
> NSSOCSPDefaultURL, where you can specfic the URL for an ocsp server. In 
> order to route traffic out-bound from the server we have to route all 
> http traffic through a proxy server. However, the documentation has 
> been vague on this point and looking at mod_ocsp.c doesn't give me a lot 
> of hope eaither (Although I am not a C coder). So my question is it 
> possible to route OCSP trafficfrom mod_nss through an http proxy server? 
> if so how?

Unfortunately, no.

Right now mod_nss relies on the built-in NSS OCSP client which is 
relatively feature-poor. I had worked on curl integration at one point 
long ago but never got it to to a point where I was satisfied with its 
quality. I can see about reviving this code, if I can find it, to see 
what state it is in, perhaps as an experimental feature.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20080810/e8eb83cb/smime.bin


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20080811/f75be5ec/attachment.html 


[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux