httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 14104] not documented: must restart server to load new CRL
Date Sat, 02 Jun 2012 01:38:58 GMT

--- Comment #12 from Matt Whitlock <> ---
This just bit me today. I'm using client-certificate authentication on a web
server that I admin for my company, and yesterday I had to revoke one of the
certificates due to a termination of an employee, and today I decided to verify
that the revocation actually worked by temporarily revoking my own certificate,
and surprise(!), I was still able to authenticate to the site. I had to reload
Apache before it would reject my authentication. This is not the behavior I
expected. It's not as though the contents of the CRLs is conceptually being
"included" into the configuration like a modular config file would be; no, the
CRL is a piece of volatile data that the configuration *references*, and the
server needs to notice when the file changes. At the very least, the Apache
mod_ssl documentation needs to note that any changes to the CRL files at
SSLCARevocationPath will require a reload of the server configuration in order
to take effect. This could have been disastrous if I hadn't thought to double
check that Apache was actually rejecting the revoked certs.

You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message