Return-Path: X-Original-To: apmail-httpd-bugs-archive@www.apache.org Delivered-To: apmail-httpd-bugs-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 61305967A for ; Sat, 2 Jun 2012 01:39:23 +0000 (UTC) Received: (qmail 45569 invoked by uid 500); 2 Jun 2012 01:39:23 -0000 Delivered-To: apmail-httpd-bugs-archive@httpd.apache.org Received: (qmail 45537 invoked by uid 500); 2 Jun 2012 01:39:23 -0000 Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: "Apache HTTPD Bugs Notification List" List-Id: Delivered-To: mailing list bugs@httpd.apache.org Received: (qmail 45529 invoked by uid 99); 2 Jun 2012 01:39:23 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 02 Jun 2012 01:39:23 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.115] (HELO eir.zones.apache.org) (140.211.11.115) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 02 Jun 2012 01:39:21 +0000 Received: by eir.zones.apache.org (Postfix, from userid 80) id B5D1257A1; Sat, 2 Jun 2012 01:39:01 +0000 (UTC) From: bugzilla@apache.org To: bugs@httpd.apache.org Subject: [Bug 14104] not documented: must restart server to load new CRL Date: Sat, 02 Jun 2012 01:38:58 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Apache httpd-2 X-Bugzilla-Component: mod_ssl X-Bugzilla-Keywords: X-Bugzilla-Severity: enhancement X-Bugzilla-Who: apache@mattwhitlock.name X-Bugzilla-Status: REOPENED X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: bugs@httpd.apache.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://issues.apache.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Virus-Checked: Checked by ClamAV on apache.org https://issues.apache.org/bugzilla/show_bug.cgi?id=14104 --- Comment #12 from Matt Whitlock --- This just bit me today. I'm using client-certificate authentication on a web server that I admin for my company, and yesterday I had to revoke one of the certificates due to a termination of an employee, and today I decided to verify that the revocation actually worked by temporarily revoking my own certificate, and surprise(!), I was still able to authenticate to the site. I had to reload Apache before it would reject my authentication. This is not the behavior I expected. It's not as though the contents of the CRLs is conceptually being "included" into the configuration like a modular config file would be; no, the CRL is a piece of volatile data that the configuration *references*, and the server needs to notice when the file changes. At the very least, the Apache mod_ssl documentation needs to note that any changes to the CRL files at SSLCARevocationPath will require a reload of the server configuration in order to take effect. This could have been disastrous if I hadn't thought to double check that Apache was actually rejecting the revoked certs. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org For additional commands, e-mail: bugs-help@httpd.apache.org