Greets. We've been experiencing a problem introduced by IE 7, which
arguably is caused by improved security. This is in a non-m0n0wall
context, but it seems that the problem will become widespread soon.
We have a walled garden/captive portal page users are redirected to
via HTTPS. The server presents a cert in the server hello, as usual,
but a sufficiently paranoid client (as is the default with MSIE 7, but
could be the case with Firefox dep. on settings), the attempt to
validate the cert - either by following the OCSP URL baked into the
cert, or via CRL fetch - fails.
It seems to me that rather than inventing a separate OCSP/CRL proxy,
this functionality should be in the captive portal itself -- once
the $$ are paid or password given etc, the user is no longer restricted
to the captive portal.
Forgive me if this has been a topic of discussion here and I missed it.
I'd like comments on this problem, I'm sure everyone here has an