httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Vávra <va...@602.cz>
Subject [users@httpd] client certificate revocation checking
Date Mon, 08 Jul 2013 21:45:50 GMT
Hi.
  in our application we use authentication based on client ssl 
certificate. I've found out that the checking of client cert revocation 
is not done automatically, if the Crl Distribution Point is present in 
client certificate. Is it an intention or only not done yet?

The only way how to do revocation checking is to configure 
SSLCARevocationPath or SSLCARevocationFile.

The world of certificates is full of mess. Crl Distribution Point is not 
mandatory. So if it is not present, it is the last chance to do checking 
thorugh  SSLCARevocation* vars. So they have their meaning.
I've found a discussion about reloading values of SSLCARevocation*
  http://markmail.org/message/nrhnyd6dppl25uxj
  From:     Erwann ABALEA (eaba...@gmail.com)
   Date:    Oct 15, 2008 9:08:30 am
   List:    org.apache.httpd.dev
  "CRL refreshing should also be taken into account; killing and 
restarting a webserver every hour or every day because we downloaded a 
new CRL is not a viable solution in a production environment, and OCSP 
is not always a good answer (we're not talking about a sub-minute 
revocation status)."

So my question is. Is the CRL refreshing (reload of CRL files) done in 
the current Apache versions?

And in the end, what about OCSP -  is it supported?

Jan.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message