httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nicob <ni...@nicob.net>
Subject CRL verification in mod_ssl
Date Thu, 28 Aug 2008 19:41:07 GMT
Hello,

I'm actually trying to setup a SSL reverse-proxy based on Apache 2.x and
mod_ssl and it seems there's a bug in the verification of the CRL.

If a CA changes its keys before expiration, the CRL is now signed by the
new key and include certificates issued by both the new and old keys.
However, mod_ssl will refuse to work if the AKID of the revoked
certificate doesn't match the issuer of the CRL.

Browsing Apache archives, I found that somebody posted a patch covering
this need (http://marc.info/?l=apache-httpd-dev&m=120350484626015), but
the code haven't been merged. I tested it and it works perfectly well.

Does this patch seems OK to you ? If yes, is it possible to include it ?

Regards,
Nicob


Mime
View raw message