httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 53156] CRL validation fails if CRL is missing
Date Fri, 27 Apr 2012 15:10:25 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=53156

David Sansome <me@davidsansome.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |NEW

--- Comment #2 from David Sansome <me@davidsansome.com> ---
If I have CRLs for some CAs in the chain but not others then
SSLCARevocationCheck none/chain will only let me either allow everything or
deny everything - I can't tell it to check the ones that I have CRLs for but
ignore the rest.

The long answer is that I'm working on an embedded appliance that uses Apache -
we want to upgrade it from 2.2 to 2.4, but some users might have already added
CRLs to their systems.  We could default the SSLCARevocationCheck option to
None, which would lower security for the people who were using CRLs, or we
could default it to Chain, which would completely lock out people who were
using client certificate checking without CRLs.  Adding this option back in
makes sure we don't break anybody.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Mime
View raw message