[Date Prev][Date Next]
OCSP for LDAP Client
- To: "email@example.com" <firstname.lastname@example.org>
- Subject: OCSP for LDAP Client
- From: Jason Talley <email@example.com>
- Date: Wed, 27 Jan 2016 20:00:58 +0000
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=VjQF4WAxZn+qw/Oz2chc8B3XaLAWh+kkW8F68W704r8=; b=BtRFldM8ksbGiHYnFixjIzt3ry3qOO880bJf4Vjmj+tjEfiOf5IlLLLxXyNulI8Dez KRbDpJoyzB3jphneNmifueJScPPtf5onnfYCV/bct8/ADLtQoH2WxGk5mD00BzmC6+Wk cltHSlg3AONIX2cLa9f5cE72XMU+ksOXMVJRslxuFvWxdj9JTUgvoqynIrru6FPDAx3q 0QNrSGP0kC/phR7vtbw7W+7ghOJUVlzBP9UxGFmFtoo7NyNNwhvKNxAQkvYKCK5Lnptb iacW1seFYKDos/MfbZ9jbA1VF9f0BqPpvxzl9PF/ctu4pCv/uqs1HoY7+Fo0TQCMb1BL B1mw==
I've been asked to enable OCSP checking in our client (connecting to any LDAP server) . The client uses OpenLdap api's for managing the connection to the server. From my recent birth-by-fire education on certs and security, OCSP checking appears more or less to be a manual process rather than having OpenSSL do all the work auto-magically as part of the handshake (ignoring ocsp stapling which I'm avoiding). I don't see any options in openssl s_client (for testing) to enable OCSP -- only a separate utility to manually check based on captured client certs.
Storing the CRL in the LDAP DB isn't an option. For whatever reason, OCSP is required.
Is there any way to enable OCSP checking via the current LDAP API? Assuming the answer is no, then would a reasonable approach be to manually query the server URL from time to time, and verify the certificate in the background? Traffic from our client should be relatively minimal, so even at a rate of one verification an hour should have a minimal risk window of the cert being expired. Using this method I can more or less follow the same logic as the openssl utilities (s_client and ocsp).