Wireless Access

 View Only

  • 1.  Comodo OCSP - new IP address

    Posted Nov 30, 2011 10:05 AM

    For those of you running captive portal based upon a Comodo SSL certificfate, you might like to know that one of the IP addresses being returned by a DNS query of ocsp.comodoca.com has changed in the past couple of days.

     

    This appears to be causing issues for MacOS Lion clients to be able to check the validity of the certificate.

     

    ocsp.comodoca.com

    WAS: 91.199.212.169, 91.209.196.169, 149.5.128.169

    NOW: 91.199.212.169, 91.209.196.169, 178.255.83.1

     

    The new IP address also resolves to oscp.usertrust.com which is part of some Comodo certificate chains.

    If you've got captive portal clients reporting issues with getting the to captive portal page this might be worth checking out.

     

     



  • 2.  RE: Comodo OCSP - new IP address

    Posted Nov 30, 2011 01:02 PM

    Thanks for the info!



  • 3.  RE: Comodo OCSP - new IP address

    Posted Nov 30, 2011 01:57 PM

    Using Google's DNS at 8.8.8.8, ocsp.comodoca.com resolves to:

    178.255.83.1

    199.66.201.169

    91.209.196.169

     

    I would also add the following crl.comodoca.com:

    178.255.83.2

     



  • 4.  RE: Comodo OCSP - new IP address

    Posted Nov 30, 2011 07:23 PM
    @tomo wrote:

    For those of you running captive portal based upon a Comodo SSL certificfate, you might like to know that one of the IP addresses being returned by a DNS query of ocsp.comodoca.com has changed in the past couple of days.

     

    This appears to be causing issues for MacOS Lion clients to be able to check the validity of the certificate.

     

    ocsp.comodoca.com

    WAS: 91.199.212.169, 91.209.196.169, 149.5.128.169

    NOW: 91.199.212.169, 91.209.196.169, 178.255.83.1

     

    The new IP address also resolves to oscp.usertrust.com which is part of some Comodo certificate chains.

    If you've got captive portal clients reporting issues with getting the to captive portal page this might be worth checking out.

     

     


    Thanks for posting this. Our wireless users don't complain when things aren't working. If you hadn't have posted this, I wouldn't have known to test our CP SSID. After testing, our Geotrust cert wasn't working either. I found that they changed the Geotrust IP addresses as well. I posted those in their own thread.

     

    Thanks again!



  • 5.  RE: Comodo OCSP - new IP address

    Posted Dec 01, 2011 04:10 AM

    Of course, if you're using AOS 6.1.X you can build the PEF-NG rule to be based on DNS hostnames, which is probably the better long term solution :smileyhappy:



  • 6.  RE: Comodo OCSP - new IP address

    Posted Dec 01, 2011 08:19 AM

    I got our cert provider to open a support call against Comodo to find out the IP ranges that they're likely to use, and I include their statement below.

     

    The extent of the IP ranges that we can provide to you can be found below. This is not the full list as we may pull in blocks from other providers as load and need are required so customer should be using DNS (which is where we'll publish our IPs) vs. that having to plug in our netblocks. Customer may want to query our OCSP/CRL every so often (e.g. every day) from a server that doesn't have restrictions, grab the IPs, whitelist them on Firewall, rinse and repeat as needed..

     

    * 91.209.196.0/24

    * 91.199.212.0/24

    * 178.255.80.0/21

    * 149.5.128.0/24

     

    Regards,

     

    Technical Support



Related Content