httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 14104] - not documented: must restart server to load new CRL
Date Tue, 04 Dec 2007 17:20:49 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=14104>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=14104





------- Additional Comments From steve@openssl.org  2007-12-04 09:20 -------
I agree that reloading of CRLs when necessary is a highly desirable feature.

OpenSSL 0.9.9 does have some improved CRL support but adding generic reloading
to cover all cases into OpenSSL isn't really practical. OpenSSL 0.9.8 doesn't
have reloading support but its handling isn't as broken as mod_ssl manual CRL
handling.

As a general solution there are several options.

One is to run a local OCSP responder which makes use of CRLs to provide
revocation information. Then mod_ssl can determine certificate status over OCSP
and the responder can deal with CRLs in an appropriate manner. I did write such
a responder for a similar situation but never got round to getting the
implementation into a publicly usable form.

Another option is to have a database of CRL information in mod_ssl. A bit like
the session cache but for revocation information. Note that I say "revocation
information" as opposed to storing full CRLs because CRLs can be quite large and
decoding on each use is a considerable overhead. It is better to just store the
set of revoked certificates serial numbers (CRL entries) and have a lookup 
mechanism which each thread could use.


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message