Re: OCSP for LDAP Client

[Howard Chu <hyc@symas.com>]

Jason Talley wrote:
> I've been asked to enable OCSP checking in our client  (connecting to any LDAP
> server) .  The client uses  OpenLdap api's for managing the connection to the
> server.  From my recent birth-by-fire education on certs and security, OCSP
> checking appears more or less to be a manual process rather than having
> OpenSSL do all the work auto-magically as part of the handshake (ignoring ocsp
> stapling which I'm avoiding).  I don't see any options in openssl s_client
> (for testing) to enable OCSP -- only a separate utility to manually check
> based on captured client certs.
>
> Storing the CRL in the LDAP DB isn't an option.  For whatever reason, OCSP is
> required.
>
> Is there any way to enable OCSP checking via the current LDAP API?

There is nothing in the LDAP API for this.

> Assuming
> the answer is no, then would a reasonable approach be to manually query the
> server URL from time to time, and verify the certificate in the background?

Sure.

> Traffic from our client should be relatively minimal, so even at a rate of one
> verification an hour should have a minimal risk window of the cert being
> expired.  Using this method I can more or less follow the same logic as the
> openssl utilities (s_client and ocsp).
>
> TIA.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/