On Mon, Aug 04, 2003, Werner Johansson wrote: > Thanks for the input! > > I see now how some of the options to the ocsp command would make sense > (as it's being used as a test tool). > What I was experimenting with here was the possibility to create a small > module for Apache that could make an OCSP check before allowing a client > to connect using client certificates, and the ocsp mode of OpenSSL would > be perfect for that it seems.. And given that the SSLv3 client sends the > actual cert chain to the server (except the root CA if I'm not > mistaken), then one could extract the actual CAs needed from there and > only trust the root CA, right?? >
Well the root is optional in the client cert chain. There is of course the possibility that the client certificate is signed directly by the root so you'd have to look it up in that case anyway. Other than that its certainly feasible but the OCSP check should be done after a normal verify (which will build the chain anyway) in case an attacker is trying to do some kind of attack based on feeding bad data from a bogus OCSP server. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
