Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 50289 invoked from network); 26 Feb 2008 18:58:09 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 26 Feb 2008 18:58:09 -0000 Received: (qmail 14512 invoked by uid 500); 26 Feb 2008 18:58:00 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 14456 invoked by uid 500); 26 Feb 2008 18:58:00 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 14445 invoked by uid 99); 26 Feb 2008 18:58:00 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 26 Feb 2008 10:58:00 -0800 X-ASF-Spam-Status: No, hits=-4.0 required=10.0 tests=RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of jorton@redhat.com designates 66.187.233.31 as permitted sender) Received: from [66.187.233.31] (HELO mx1.redhat.com) (66.187.233.31) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 26 Feb 2008 18:57:15 +0000 Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id m1QIvYq3003944 for ; Tue, 26 Feb 2008 13:57:34 -0500 Received: from turnip.manyfish.co.uk (IDENT:U2FsdGVkX1/2zIz+uqMERo80vid32/tdScShxjJFS9w@vpn-15-7.rdu.redhat.com [10.11.15.7]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m1QIvX42014919 for ; Tue, 26 Feb 2008 13:57:33 -0500 Received: from jorton by turnip.manyfish.co.uk with local (Exim 4.68) (envelope-from ) id 1JU4zc-0004yb-T5 for dev@httpd.apache.org; Tue, 26 Feb 2008 18:57:32 +0000 Date: Tue, 26 Feb 2008 18:57:32 +0000 From: Joe Orton To: dev@httpd.apache.org Subject: mod_ssl & CRL verification Message-ID: <20080226185732.GA18550@redhat.com> Mail-Followup-To: dev@httpd.apache.org References: <20080225221243.GA26447@redhat.com> <47C34742.80006@oss-institute.org> <20080226161513.GA11569@redhat.com> <47C4439C.1090200@oss-institute.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <47C4439C.1090200@oss-institute.org> User-Agent: Mutt/1.5.17 (2007-11-01) Organization: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in UK and Wales under Company Registration No. 03798903 Directors: Michael Cunningham (USA), Brendan Lane (Ireland), Matt Parson (USA), Charlie Peters (USA) X-Scanned-By: MIMEDefang 2.58 on 172.16.52.254 X-Virus-Checked: Checked by ClamAV on apache.org On Tue, Feb 26, 2008 at 04:51:40PM +0000, Dr Stephen Henson wrote: > Well the current CRL strategy has a few problems. It ignores critical > extensions but that's a separate issue... I was looking at this recently; is it still true that mod_ssl has to do so much of the CRL revocation checks for client certs itself (i.e. all of ssl_callback_SSLVerify_CRL) - it looks like X509_verify_cert() can do revocation checks itself if suitably configured, though maybe this is a recent addition? > Many CRLs have short lifetimes and need to be updated fairly often which > causes problems when the server needs to be restarted each time. ... > Well that's one strategy... another would be to use OCSP exclusively and > have a local OCSP responder driven by CRLs. Right, that is exactly my view. I think that any attempt to make mod_ssl treat CRLs as anything other than static files loaded once at startup will end up trying to reinvent OCSP badly. If a free OCSP responder existed which actually did this maybe those "make CRL handling better" bug reports would go away :) joe