httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nicob <>
Subject CRL verification in mod_ssl
Date Thu, 28 Aug 2008 19:41:07 GMT

I'm actually trying to setup a SSL reverse-proxy based on Apache 2.x and
mod_ssl and it seems there's a bug in the verification of the CRL.

If a CA changes its keys before expiration, the CRL is now signed by the
new key and include certificates issued by both the new and old keys.
However, mod_ssl will refuse to work if the AKID of the revoked
certificate doesn't match the issuer of the CRL.

Browsing Apache archives, I found that somebody posted a patch covering
this need (, but
the code haven't been merged. I tested it and it works perfectly well.

Does this patch seems OK to you ? If yes, is it possible to include it ?


View raw message