Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 78195 invoked from network); 20 Dec 2004 16:57:35 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 20 Dec 2004 16:57:35 -0000 Received: (qmail 8742 invoked by uid 500); 20 Dec 2004 16:38:43 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 8714 invoked by uid 500); 20 Dec 2004 16:38:43 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 8689 invoked by uid 99); 20 Dec 2004 16:38:43 -0000 X-ASF-Spam-Status: No, hits=1.3 required=10.0 tests=FROM_NO_LOWER X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: local policy) Received: from dns24-ext.dfas.mil (HELO dns24.dfas.mil) (206.39.12.245) by apache.org (qpsmtpd/0.28) with ESMTP; Mon, 20 Dec 2004 08:38:39 -0800 Received: from iso-e2-w-1.DS.DFAS.MIL (iso-e2-w-1.ds.dfas.mil [158.18.1.127]) by dns24.dfas.mil with ESMTP id iBKGcaXr028637 for ; Mon, 20 Dec 2004 11:38:36 -0500 (EST) content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: RE: modssl - ocsp - crl X-MimeOLE: Produced By Microsoft Exchange V6.0.6563.0 Date: Mon, 20 Dec 2004 11:38:34 -0500 Message-ID: <932ACD88A2215048AB039F28F23CC143047ADD3C@iso-e2-w-1.ds.dfas.mil> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: modssl - ocsp - crl Thread-Index: AcTio5HsQiS7j0gvQ8yy8+VeVlinywEDKtiw From: "TAYLOR, TIM \(CONTRACTOR\)" To: X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N I have noticed this behavior as well. Apache is quiet unless it actually = finds revocation of the cert being verified. Perhaps better would be code that checked that for every trusted CA (via = SSLCACertificate*) there is a corresponding CRL and if not, post a = warning (or error) in the log (according to your selected revocation = check method). I don't see that you would need a new directive except = for choosing revocation check method. BTW, are coding it to support more than one method in a preferred order? = Such as something like SSLRevocationMethod OCSP CRL meaning, try OCSP first and fall back to CRL (if OCSP timeout). As you = can see, I am interested in your patch. regards, tt 317-510-5987 =20 -----Original Message----- From: Matthieu Estrade [mailto:mestrade@apache.org] Sent: Wednesday, December 15, 2004 8:45 AM To: dev@httpd.apache.org Subject: modssl - ocsp - crl I'm close to finish the ocsp feature on mod_ssl, but when i look the=20 entire client auth system, there is some little point not really clean. For example, when somebody today setup a SSLVerifyClient require and put = CA and CRL, with SSLCARevocationPath, if no CRL is correct inside the=20 path, mod_ssl will not find the good one and will bypass CRL check. What = i mean is on a misconfigured system, admin can't know if crl check is=20 active or not. Sometimes, the SSLCARevocationPath directive is used with a little=20 daemon updating CRL. Maybe it's a normal behaviour, but i think it could be more clean to=20 choose the way to say the user is authenticated, via a directive: SSLVerifyClient require SSLCACertificatePath /usr/local/apache/conf/ssl.crt/ SSLCARevocationPath /usr/local/apache/conf/ssl.crl/ SSLVerifyClientMethod +CRL (or +OCSP) or -CRL. In this case, the default could be CA + CRL and block if no valid crl is = found -CRL could disable the crl check etc... Regards, Matthieu