OCSP support and sub requests.

[Dr Stephen Henson <sh...@oss-institute.org>]

As Steve Marquess recently mentioned I've been working on a patch to
implement OCSP stapling support for mod_ssl.

The first version of OpenSSL which will support OCSP stapling will now
be 0.9.8h not 0.9.8g as originally announced.

It has been suggested a performing OCSP queries via the sub request
mechanism would be a good idea and I've been exploring this option.

For those not familiar with OCSP all a query entails is sending an http
request to a server using the POST (or occasionally GET) mechanism and
examining the response.

I've hit a few problems though.

I haven't found much documentation about how to use sub requests for
http: any pointers?

I would really need to include a configurable timeout on the sub request
so appropriate measures could be taken if the OCSP responder didn't erm
respond. Is that possible?

The main problem though is that adding a sub request is done via the
request_rec structure. In mod_ssl this doesn't seem to be available at
the time when it is needed. The OCSP query would need to be made during
the SSL/TLS handshake and the actual page requested is not known until
after the handshake is complete. Is there some way round this or an
alternative technique to make a sub request?

Steve.
-- 
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.