httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <>
Subject Re: mod_ssl & CRL verification
Date Tue, 26 Feb 2008 20:00:12 GMT
Joe Orton wrote:
> On Tue, Feb 26, 2008 at 04:51:40PM +0000, Dr Stephen Henson wrote:
>> Well the current CRL strategy has a few problems. It ignores critical 
>> extensions but that's a separate issue...
> I was looking at this recently; is it still true that mod_ssl has to do 
> so much of the CRL revocation checks for client certs itself (i.e. all 
> of ssl_callback_SSLVerify_CRL) - it looks like X509_verify_cert() can do 
> revocation checks itself if suitably configured, though maybe this is a 
> recent addition?

Some enhanced CRL support in X509_verify_cert() has been in OpenSSL for 
some time (over a year).

You just need to set the relevant flags and OpenSSL will handle things.

OpenSSL 0.9.7 checks for critical CRL extensions and rejects a CRL if it 
finds any.

0.9.8 can also use key identifiers to look up CRLs.

0.9.9 also includes support for extensions like IDP for CRL 
partitioning. It also allows multiple CRLs with the same scope to appear 
in a store and uses the first valid one (likely to change that to most 
recent). There is also a form of dynamic CRL loading. The functionality 
will be extended in future.

There is a difference in the directory handling. OpenSSL doesn't make 
any distinction between certificate and CRL directories: a CRL can 
appear in a certificate directory and vice-versa.

Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute:
OpenSSL Core team:

View raw message