On Tue, Aug 17, 2010 at 05:26:22PM +0200, Ulf Wahlqvist wrote: > CASE 1/ If I set: > SSLOCSPDefaultResponder http://ocsp.trust.telia.com > SSLOCSPOverrideResponder on > > The validation will fail with "SSL Library Error: error:2707307F:OCSP > routines:OCSP_check_validity:status too old" Presuming this is not a system clock skew issue - mod_ssl enforces a max response age of 6 minutes at the moment. This should be configurable but isn't; if you could file a bug on that it'd be great. > CASE 3/ If I set: > SSLOCSPDefaultResponder http://ocsp.trust.telia.com > > - Try to authenticate - It will fail as in 2 above. > - Do NOT close the browser (IE, by the way) > - set: > SSLOCSPDefaultResponder http://ocsp.trust.telia.com > SSLOCSPOverrideResponder on > - restart using apachectl graceful > - Retry to authenticate - It will now SUCCEED! You can reproduce this every time? You have to misconfigure then reconfigure and restart the server to get it working? Weird. Regards, Joe --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|