httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject mod_ssl & CRL verification
Date Tue, 26 Feb 2008 18:57:32 GMT
On Tue, Feb 26, 2008 at 04:51:40PM +0000, Dr Stephen Henson wrote:
> Well the current CRL strategy has a few problems. It ignores critical 
> extensions but that's a separate issue...

I was looking at this recently; is it still true that mod_ssl has to do 
so much of the CRL revocation checks for client certs itself (i.e. all 
of ssl_callback_SSLVerify_CRL) - it looks like X509_verify_cert() can do 
revocation checks itself if suitably configured, though maybe this is a 
recent addition?

> Many CRLs have short lifetimes and need to be updated fairly often which 
> causes problems when the server needs to be restarted each time.
...
> Well that's one strategy... another would be to use OCSP exclusively and 
> have a local OCSP responder driven by CRLs.

Right, that is exactly my view.  I think that any attempt to make 
mod_ssl treat CRLs as anything other than static files loaded once at 
startup will end up trying to reinvent OCSP badly.

If a free OCSP responder existed which actually did this maybe those 
"make CRL handling better" bug reports would go away :)

joe

Mime
View raw message