Hi.
in our application we use authentication based on client ssl
certificate. I've found out that the checking of client cert revocation
is not done automatically, if the Crl Distribution Point is present in
client certificate. Is it an intention or only not done yet?
The only way how to do revocation checking is to configure
SSLCARevocationPath or SSLCARevocationFile.
The world of certificates is full of mess. Crl Distribution Point is not
mandatory. So if it is not present, it is the last chance to do checking
thorugh SSLCARevocation* vars. So they have their meaning.
I've found a discussion about reloading values of SSLCARevocation*
http://markmail.org/message/nrhnyd6dppl25uxj
From: Erwann ABALEA (eaba...@gmail.com)
Date: Oct 15, 2008 9:08:30 am
List: org.apache.httpd.dev
"CRL refreshing should also be taken into account; killing and
restarting a webserver every hour or every day because we downloaded a
new CRL is not a viable solution in a production environment, and OCSP
is not always a good answer (we're not talking about a sub-minute
revocation status)."
So my question is. Is the CRL refreshing (reload of CRL files) done in
the current Apache versions?
And in the end, what about OCSP - is it supported?
Jan.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
