? I'm sorry if I am screwing up my reply to your comment, but this is the first time I've gotten involved with a mailing list before.? To your comment Rob I think adding this in would be a really cool feature. Ever since that article showed up in bigadmin about integrating mod_nss into Apache it has created a lot of buzz within the department of defense because of the OCSP plug-in. The DoD currently has the largest PKI implementation in the world and key component is efficient, and easy, OCSP checking which mod_nss has the capability of doing (on paper at least: I still haven't gotten it to work in my dev enviornment) without dropping some cash to Tumbleweed and Corestreet. However, alot of the servers (and especially?desktop users) have to route their http traffic through a proxy server in order to go outside the network enclave. So I can definitly see the need for the ability to proxy OCSP traffic. ? Also, on a side note...but where you the one who responded to my support question to Red Hat on this...they gave me the same answer :) Mike Carroll wrote: > I've currently configured mod_nss-1.0.7 to replace mod_ssl in apache > 2.2.9 and there is a configuration paramater nss.conf, > NSSOCSPDefaultURL, where you can specfic the URL for an ocsp server. In > order to route traffic out-bound from the server we have to route all > http traffic through a proxy server. However, the documentation has > been vague on this point and looking at mod_ocsp.c doesn't give me a lot > of hope eaither (Although I am not a C coder). So my question is it > possible to route OCSP trafficfrom mod_nss through an http proxy server? > if so how? Unfortunately, no. Right now mod_nss relies on the built-in NSS OCSP client which is relatively feature-poor. I had worked on curl integration at one point long ago but never got it to to a point where I was satisfied with its quality. I can see about reviving this code, if I can find it, to see what state it is in, perhaps as an experimental feature. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20080810/e8eb83cb/smime.bin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20080811/f75be5ec/attachment.html
