You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Luis Neves <lu...@hotmail.com> on 2010/06/16 18:20:35 UTC
[users@httpd] OCSP, CRL, apache and openssl questions
Hi there,
I am unable to use the SSLOCSPEnable directive in ssl.conf
My httpd-2.2.3-6 running on RHEL5 gives a unknown module error when restarted:
"nvalid command 'SSLOCSPEnable', perhaps misspelled or defined by a module not included in the server configuration"
here http://httpd.apache.org/docs/trunk/mod/mod_ssl.html
it says that SSLOCSPEnable is "Available in httpd 2.3 and later"
so, do I need to download and compile httpd 2.3 on my RHEL to be able to use OCSP?
what alternatives do I have?
And what about using apache+mod_nss to be able to use OCSP with my current apache to "validate" expired client X509 certificates instead of apache+mod_ssl?
Or at this state of apache development should I forget OCSP and try to use CRL and automate CRL updates using some cron job and some scripting?
Regards,
Luis Neves
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969
RE: [users@httpd] OCSP, CRL, apache and openssl questions
Posted by Luis Neves <lu...@hotmail.com>.
Anyone?
Shouldnt i use OCSP at all?
Should I post this in openssl lists instead?
Thanks,
Luis
From: luisneves@hotmail.com
To: users@httpd.apache.org
Date: Wed, 16 Jun 2010 16:20:35 +0000
Subject: [users@httpd] OCSP, CRL, apache and openssl questions
Hi there,
I am unable to use the SSLOCSPEnable directive in ssl.conf
My httpd-2.2.3-6 running on RHEL5 gives a unknown module error when restarted:
"nvalid command 'SSLOCSPEnable', perhaps misspelled or defined by a module not included in the server configuration"
here http://httpd.apache.org/docs/trunk/mod/mod_ssl.html
it says that SSLOCSPEnable is "Available in httpd 2.3 and later"
so, do I need to download and compile httpd 2.3 on my RHEL to be able to use OCSP?
what alternatives do I have?
And what about using apache+mod_nss to be able to use OCSP with my current apache to "validate" expired client X509 certificates instead of apache+mod_ssl?
Or at this state of apache development should I forget OCSP and try to use CRL and automate CRL updates using some cron job and some scripting?
Regards,
Luis Neves
Hotmail: Powerful Free email with security by Microsoft. Get it now.
_________________________________________________________________
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969