[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OCSP for LDAP Client

Jason Talley wrote:
I've been asked to enable OCSP checking in our client  (connecting to any LDAP
server) .  The client uses  OpenLdap api's for managing the connection to the
server.  From my recent birth-by-fire education on certs and security, OCSP
checking appears more or less to be a manual process rather than having
OpenSSL do all the work auto-magically as part of the handshake (ignoring ocsp
stapling which I'm avoiding).  I don't see any options in openssl s_client
(for testing) to enable OCSP -- only a separate utility to manually check
based on captured client certs.

Storing the CRL in the LDAP DB isn't an option.  For whatever reason, OCSP is

Is there any way to enable OCSP checking via the current LDAP API?

There is nothing in the LDAP API for this.

the answer is no, then would a reasonable approach be to manually query the
server URL from time to time, and verify the certificate in the background?


Traffic from our client should be relatively minimal, so even at a rate of one
verification an hour should have a minimal risk window of the cert being
expired.  Using this method I can more or less follow the same logic as the
openssl utilities (s_client and ocsp).


  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/