[ previous ] [ next ] [ threads ]
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  Michael Sierchio <kudzu at tenebras dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IE 7 OCSP request breaks captive portals
 Date:  Mon, 30 Oct 2006 21:39:42 +0100
On 30.10.06 12:16 -0800, Michael Sierchio wrote:

> but a sufficiently paranoid client (as is the default with MSIE 7,
> but could be the case with Firefox dep. on settings), the attempt
> to validate the cert - either by following the OCSP URL baked into
> the cert, or via CRL fetch - fails.

Is this really the default now in IE 7? I've heard of this before,
but was unable to verify that IE 7 indeed checks server certificates
for revocation by default (just imagine the load on the poor CA's
servers - even when using OCSP!) - only software publisher's certs.

However, if this is really causing you problems, then try adding the
IP address(es) of the server(s) that the CRL/OCSP URLs in your HTTPS
certificate point to to the list of "Allowed IP addresses" in
m0n0wall's captive portal. That should do the trick. And of course,
once the user has logged in, no connections will be intercepted by
the captive portal anymore and there shouldn't be any problems with
checking other certificates for revocation.

- Manuel