Educause Security Discussion mailing list archives
Re: OCSP/HTTPS site issues? Certificate validation?
From: Rich Graves <rgraves () CARLETON EDU>
Date: Fri, 20 Jan 2012 15:20:26 -0600
Without specific examples (at least the CAs in question), no, it's not possible to help you. Try getting the CRL/OCSP site manually (browser, wget, openssl). If it fails, do basic network troubleshooting. If it succeeds, do basic troubleshooting on the machines affected. If it's intermittent, maybe the CA has underprovisioned their server. Check netflow/firewall logs for indications of failure. A mostly unrelated annoyance that people should be aware of: MacOS Lion turned on OCSP validation by default. If a captive portal redirects to a site with and SSL cert that provices OCSP/CRL information and the OCSP/CRL site itself is not available, not only is the captive portal broken, but the user's Keychain tends to get corrupted. Make sure your registration/quarantine networks allow CRL validation, or at least, don't redirect requests back to the captive portal.
Current thread:
- OCSP/HTTPS site issues? Certificate validation? Shayne Ghere (Jan 20)
- Re: OCSP/HTTPS site issues? Certificate validation? Jacobson, Dick (Jan 20)
- Re: OCSP/HTTPS site issues? Certificate validation? Rich Graves (Jan 20)
- Re: OCSP/HTTPS site issues? Certificate validation? Jeff Kell (Jan 20)
- Re: OCSP/HTTPS site issues? Certificate validation? Seth Hall (Jan 21)
- Re: OCSP/HTTPS site issues? Certificate validation? Jeff Kell (Jan 22)
- Re: OCSP/HTTPS site issues? Certificate validation? Jim Cheetham (Jan 23)
- Re: OCSP/HTTPS site issues? Certificate validation? Seth Hall (Jan 25)
- Re: OCSP/HTTPS site issues? Certificate validation? Jeff Kell (Jan 20)