httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 36438] New: - Problem with CRL file loading in mod_ssl
Date Wed, 31 Aug 2005 10:05:31 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=36438>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=36438

           Summary: Problem with CRL file loading in mod_ssl
           Product: Apache httpd-2.0
           Version: 2.0.50
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: major
          Priority: P2
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: stephane.omnes@atosorigin.com
                CC: stephane.omnes@atosorigin.com


When you use "SSLCARevocationFile" directive to launch a Certificate Revocation 
List, if the CRL file is not in PEM format (DER for example), no warning or 
error message is written in logs file, so that you don't detect that something 
goes wrong... In this case, when a revoked client certificate is submitted to 
Apache during SSL negociation, the verification doesn't work well (e.g. nothing 
happen !).
I think that it's a major problem because this bug concerns security aspects of 
Apache.
I detetected this situation on Apache 2.0.50 with openssl 0.9.7-8
Sincerely,

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message