httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Kaluža <jkal...@redhat.com>
Subject Re: SSLDisableCRLCaching, is it even possible in 2.4.x?
Date Wed, 22 Apr 2015 08:36:30 GMT
On 04/22/2015 09:50 AM, Kaspar Brand wrote:
> On 21.04.2015 12:20, Jan Kaluža wrote:
>> we used to have a patch against httpd-2.2.15 to add SSLDisableCRLCaching
>> option to not cache CRLs. I was trying to adapt this patch for
>> httpd-trunk and eventually include it upstream but now I'm in dead end.
>>
>> The patch removes all the CRLs from the per-server_rec OpenSSL cache
>> created in ssl_init_ctx_crl (OpenSSL caches the CRLs in
>> X509_store.objs). This all works properly, but I'm thinking about
>> thread-safety.
>
> Starting with 2.3.15 (https://svn.apache.org/r1165056), CRL checking was
> completely delegated to OpenSSL, so it would be a bit surprising to me
> if that patch can be ported to trunk.

I'm aware of that, that's why I'm rewriting that patch for trunk :).

> Fiddling with OpenSSL internals
> looks rather scary to me, at least at first sight - perhaps there's an
> API for clearing a CRL store in OpenSSL?

Unfortunately there's no such API in OpenSSL. There's "caching" flag in 
X509_STORE struct, but it's never used for anything actually.

Maybe it would be better idea to implement that in OpenSSL, but that's 
kind of long-term goal. I was hoping to have this feature in httpd at first.

> Kaspar
>

Regards,
Jan Kaluza


Mime
View raw message