[Mod_nss-list] [Non-DoD Source] Re: Revoc check via CRL and OCSP

Thu Jul 28 15:36:40 UTC 2016

So on all valid certificates mod_nss will check the CRL and also OCSP, even when the relevant CRL exists in the database?  I assumed that if the client cert serial number isn't found in the CRL then mod_nss would accept the cert as "good" and process the request - and only move on to OCSP if the relevant CRL doesn't exist in the nss db?

Thank you for your attention,

-Albert Smith
Infrastructure Team
OUSD(AT&L) eBusiness Center
703 571-3015

-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com] 
Sent: Thursday, July 28, 2016 11:17 AM
To: Smith, Albert L CTR OSD OUSD ATL (US); mod_nss-list at redhat.com
Subject: Re: [Non-DoD Source] Re: [Mod_nss-list] Revoc check via CRL and OCSP

Smith, Albert L CTR OSD OUSD ATL (US) wrote:
> Thanks for the quick answer Rob.
>
> Also - My website is servicing users spread among 60-ish CA's.
>
> Do I understand this correctly to mean that if I load the CRL's into the NSS db nightly, my website will always do a revocation check against the CRL in the NSS DB, and only go to OCSP if the CRL is missing?  What is the expected behavior if the CRL exists in the NSS DB but is stale?

Not exactly. NSS will check the CRL for the certificate. If it is not there it will check OCSP. If that is successful the mod_nss will process the request.

I'm not 100% sure of this but I believe that NSS will use the CRL it has regardless of the Next Update value.

> mod_revocator - I looked at that but decided to write a Perl program to gather all of the CRL's nightly and load them into the NSS DB.  This is because I had to do that anyway because of our disconnected dev/test networks.

Ok, cool.

rob

>
> Thank you for your attention,
>
> -Albert Smith
> Infrastructure Team
> OUSD(AT&L) eBusiness Center
> 703 571-3015
>
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Thursday, July 28, 2016 10:00 AM
> To: Smith, Albert L CTR OSD OUSD ATL (US); mod_nss-list at redhat.com
> Subject: [Non-DoD Source] Re: [Mod_nss-list] Revoc check via CRL and 
> OCSP
>
> Smith, Albert L CTR OSD OUSD ATL (US) wrote:
>> Hello,
>>
>> I'm running RHEL6 with "httpd-2.2.15-53" and "mod_nss-1.0.10-6".
>>
>> My webserver is currently configured to do revocation checking vi OCSP and is working fine, except when we encounter failures with the OCSP service provider.
>>
>> I would like to configure my webserver to check OCSP first, and in 
>> the case of a failure, use CRL files (either local files on disk or 
>> CRL files loaded into the NSS database) as a secondary.  (If OCSP 
>> then CRL isn't possible, is CRL then OCSP possible?)
>>
>> Is this possible, and if it is what are the relevant NSS directives to set?
>
> NSS will check a CRL automatically if one has been loaded (see crlutil).
> It does this before doing an OCSP check.
>
> The behavior you're seeing won't really change though. If the OCSP check cannot be made then the request will fail. There is no configuration setting to tune that.
>
> For automated CRL handling you might want to look at mod_revocator, another Apache module. This will retrieve and load updated CRLs without requiring a restart of Apache.
>
> rob
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5494 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20160728/1e1dcb52/attachment.p7s>