[Mod_nss-list] Revoc check via CRL and OCSP
Rob Crittenden
rcritten at redhat.com
Thu Jul 28 14:00:08 UTC 2016
Smith, Albert L CTR OSD OUSD ATL (US) wrote:
> Hello,
>
> I'm running RHEL6 with "httpd-2.2.15-53" and "mod_nss-1.0.10-6".
>
> My webserver is currently configured to do revocation checking vi OCSP and is working fine, except when we encounter failures with the OCSP service provider.
>
> I would like to configure my webserver to check OCSP first, and in the case of a failure, use CRL files (either local files on disk or CRL files loaded into the NSS database) as a secondary. (If OCSP then CRL isn't possible, is CRL then OCSP possible?)
>
> Is this possible, and if it is what are the relevant NSS directives to set?
NSS will check a CRL automatically if one has been loaded (see crlutil).
It does this before doing an OCSP check.
The behavior you're seeing won't really change though. If the OCSP check
cannot be made then the request will fail. There is no configuration
setting to tune that.
For automated CRL handling you might want to look at mod_revocator,
another Apache module. This will retrieve and load updated CRLs without
requiring a restart of Apache.
rob
More information about the Mod_nss-list
mailing list