httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 14104] not documented: must restart server to load new CRL
Date Sat, 02 Jun 2012 01:38:58 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=14104

--- Comment #12 from Matt Whitlock <apache@mattwhitlock.name> ---
This just bit me today. I'm using client-certificate authentication on a web
server that I admin for my company, and yesterday I had to revoke one of the
certificates due to a termination of an employee, and today I decided to verify
that the revocation actually worked by temporarily revoking my own certificate,
and surprise(!), I was still able to authenticate to the site. I had to reload
Apache before it would reject my authentication. This is not the behavior I
expected. It's not as though the contents of the CRLs is conceptually being
"included" into the configuration like a modular config file would be; no, the
CRL is a piece of volatile data that the configuration *references*, and the
server needs to notice when the file changes. At the very least, the Apache
mod_ssl documentation needs to note that any changes to the CRL files at
SSLCARevocationPath will require a reload of the server configuration in order
to take effect. This could have been disastrous if I hadn't thought to double
check that Apache was actually rejecting the revoked certs.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message