Manuel Kasper wrote:
> However, if this is really causing you problems, then try adding the
> IP address(es) of the server(s) that the CRL/OCSP URLs in your HTTPS
> certificate point to to the list of "Allowed IP addresses" in
> m0n0wall's captive portal. That should do the trick. And of course,
> once the user has logged in, no connections will be intercepted by
> the captive portal anymore and there shouldn't be any problems with
> checking other certificates for revocation.
Sorry, that last reply got away from me. The OCSP servers may in
fact be hosted at the edge (e.g. by Akamai), and this is a good
reason for not hardcoding IP addresses in the URL. So we still
have the problem that we can't in advance know the IP addresses
we'll be going to -- at least not in any way we can maintain.
So, the problem is one of selectively proxying for traffic to a URL
that we KNOW, because it's in the cert we present.
Still hoping for further suggestions/investigation.