httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matthieu Estrade <>
Subject modssl - ocsp - crl
Date Wed, 15 Dec 2004 13:45:24 GMT
I'm close to finish the ocsp feature on mod_ssl, but when i look the 
entire client auth system, there is some little point not really clean.
For example, when somebody today setup a SSLVerifyClient require and put 
CA and CRL, with SSLCARevocationPath, if no CRL is correct inside the 
path, mod_ssl will not find the good one and will bypass CRL check. What 
i mean is on a misconfigured system, admin can't know if crl check is 
active or not.
Sometimes, the SSLCARevocationPath directive is used with a little 
daemon updating CRL.

Maybe it's a normal behaviour, but i think it could be more clean to 
choose the way to say the user is authenticated, via a directive:

SSLVerifyClient require
SSLCACertificatePath /usr/local/apache/conf/ssl.crt/
SSLCARevocationPath /usr/local/apache/conf/ssl.crl/
SSLVerifyClientMethod +CRL (or +OCSP) or -CRL.

In this case, the default could be CA + CRL and block if no valid crl is 
-CRL could disable the crl check etc...



View raw message