On Tue, Jan 14, 2014, socket wrote: > What I am saying is that one falls into the delegated trust model, and one > does not, but I should be able to validate either because RFC 2560 allows > for "a Trusted Responder whose public key is trusted by the requester". I am > asking if mod_ssl in apache 2.4.x is RFC compliant. it seems to me openssl > supports this explicitly via the -VAflag, but mod_ssl doesn't. >
You don't need the -VAflag option. You can add explicit trust to the root PEM file of the responder chain. See the "ocsp" manual page for details. If you include that trusted root CA PEM file in the mod_ssl trusted certificate store it should work. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
