On Sat, Sep 12, 2009 at 6:40 PM, Lee Sharp <leesharp at hal dash pc dot org> wrote:
> What IP?
> The reason that I ask is that this is happening with a lot more software,
> and in some cases, halting login completely. (Like McAfee Site Advisor)
> With a little discussion, we can find these sites, and keep an IP allow
> list to minimize this behavior.
first of all, forget my part about ssl 3.0.
I was testing in a double NAT environment which obviously gave me
Connecting everything directly made that problem disappear.
Ok, this is what I did for the OCSP stuff. My certificates are issued
We sniffed the line while opening the browser, which learned us it
tried to connect to ocsp.comodoca.com.
We looked up the ip of that host and it gave us 3 ip's, 126.96.36.199,
188.8.131.52 and 184.108.40.206.
I've added the first one in the allowed list (any to ip) of the
captive portal and used an entry in the dns forwarder to make sure
ocsp.comodoca.com always resolved to that ip. You could add all ip's
too of course.
As you know the ocsp ip's will depend on the issuer of your
certificates, so in case you 're having same issues, it's best to do a
sniff on one of your systems and see what happens.
Hope this helps