Tony's ramblings on Open Source Software, Life and Photography

ocsp

How To Fix LAN SSL Connections Without Internet

In our offices, we don't provide Internet access to workstations that don't need it for day to day business. It's not because I'm a mean C.I.O., but has more to do with the fact we deal with healthcare information and have tightened security down beyond what a typical company would do.

One of the servers that some of our internal machines access only provides SSL HTTPS services and runs an EV certificate issued by Entrust (think green bar in IE7.)

With a default setup, our internal machines without Internet would get sporadic at best access to the internal secure web server. This was caused by OCSP, the Online Certificate Status Protocol. Even though the workstation is inside the LAN and the server is inside the LAN, when using SSL the workstation would try to check online to see if the certificate had been revoked.

With Internet access blocked at that workstation, it was impossible for the check to pass, so the connection would either timeout or be extremely slow opening the first page.

There's a simple fix, but you only want to do this in a situation like ours where you know you can explicitly trust the SSL certificate and the workstation doesn't have Internet access. In Firefox, open your preferences, go to the Advanced tab, then choose the Encryption tab. Click Validation and uncheck "Use Online Certificate Status Protocol".

There you have it... internal LAN requests now work without having to go out to the Internet to verify the certificate.


Categories: