httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <>
Subject Re: CRL verification in mod_ssl
Date Fri, 29 Aug 2008 14:38:54 GMT

On Aug 28, 2008, at 9:41 PM, Nicob wrote:

> Hello,
> I'm actually trying to setup a SSL reverse-proxy based on Apache 2.x  
> and
> mod_ssl and it seems there's a bug in the verification of the CRL.
> If a CA changes its keys before expiration, the CRL is now signed by  
> the
> new key and include certificates issued by both the new and old keys.
> However, mod_ssl will refuse to work if the AKID of the revoked
> certificate doesn't match the issuer of the CRL.
> Browsing Apache archives, I found that somebody posted a patch  
> covering
> this need (,  
> but
> the code haven't been merged. I tested it and it works perfectly well.
> Does this patch seems OK to you ? If yes, is it possible to include  
> it ?

I just tried that patch - and it also matched two of my edge cases.

But this is a bit too obscure for me to dare to commit it directly.  
Could someone else with a good x509 understanding look at it ?

+1 from me - willing to do the legwork if someone else gives this a  
good review as well.


View raw message