[ previous ] [ next ] [ threads ]
 From:  Michael Sierchio <kudzu at tenebras dot com>
 To:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] IE 7 OCSP request breaks captive portals
 Date:  Mon, 30 Oct 2006 12:46:21 -0800
Manuel Kasper wrote:

> However, if this is really causing you problems, then try adding the
> IP address(es) of the server(s) that the CRL/OCSP URLs in your HTTPS
> certificate point to to the list of "Allowed IP addresses" in
> m0n0wall's captive portal. That should do the trick. And of course,
> once the user has logged in, no connections will be intercepted by
> the captive portal anymore and there shouldn't be any problems with
> checking other certificates for revocation.

Thanks, Manuel.

Sorry, that last reply got away from me.  The OCSP servers may in
fact be hosted at the edge (e.g. by Akamai), and this is a good
reason for not hardcoding IP addresses in the URL.  So we still
have the problem that we can't in advance know the IP addresses
we'll be going to -- at least not in any way we can maintain.

So, the problem is one of selectively proxying for traffic to a URL
that we KNOW, because it's in the cert we present.

Still hoping for further suggestions/investigation.