2008/12/10 Robert Relyea <[EMAIL PROTECTED]> > sg4all wrote: > >> Hi, >> >> >> I'm trying to set up a apache webserver with mod_nss. When available, OCSP >> should be used to verify the validity of the certificate. When the OCSP is >> >> unavailable, CRLs are used. >> >> I installed the CRLS, and configured everything. (My nss.conf is included >> in >> this message). >> >> When I comment out "NSSOCSP On": it validates the certificates using CRL >> >> correctly. >> When "NSSOCSP on" is used, it validates the certificates using OCSP >> correctly. >> > Not in the default NSS validation scheme. NSS 3.12 has new cert validation > code called PKIX. With it comes more control and configuration of the > revocation engine. I'm not sure of the state of the code (I think the latest > is about ready for prime time), but I'm pretty sure mod_nss isn't set up to > use the fine grain control of revocation. > > bob > > Hi Bob,
So what you say is that when mod_nss is not capable of doing OCSP validation because it cannot connect to the OCSP server, there is no fallback to CRL? thanks
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
