httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 45708] CRL verification fails if CA have distinct AKID for CRL and client certificates
Date Tue, 06 Jul 2010 18:10:34 GMT

--- Comment #8 from Erwann Abalea <> 2010-07-06 14:10:32
EDT ---
(In reply to comment #2)
> *** Bug 45683 has been marked as a duplicate of this bug. ***

This is technically not really a duplicate of this bug. In this bug (#45863),
the described situation doesn't conform to the X.509 standard if the 2 CRLs
cover the whole set of certificates (i.e. if they're not partitioned, which
actual mod_ssl code doesn't deal with).

The proposed patch will solve their error, by masking it, which is sub-optimal.
It's OK if the 2 CRLs are "full ones" (not partitioned), and if they contain
the same revocation information (i.e. the exact same list of revoked
If this is not the case, then this CA doesn't do its job correctly, which is
not Apache/mod_ssl's fault.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message