You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Joost de Heer <sa...@xs4all.nl> on 2007/02/04 16:50:28 UTC

[users@httpd] Re: Problem with revoked certificates.

domi wrote:

[Question about CRLs]

> <VirtualHost _default_:443>
> ServerName 192.168.0.2:443
> Errorlog /opt/exampleca/ssl_error_log
> Transferlog /opt/exampleca/ssl_access_log
>
> SSLEngine on
>
> SSLCipherSuite HIGH:MEDIUM
>
> SSLProtocol all
>
> SSLCertificateFile /some/path/01.pem
> SSLCertificateKeyFile /some/path/testkey.pem
> SSLCertificateChainFile /some/path/cacert.pem
>
> </VirtualHost>

You are missing a SSLCARevocationFile directive. Apache should check the
CRL, not the browser.

Joost


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Problem with revoked certificates.

Posted by domi <Ke...@web.de>.

Joost wrote:

Joost de Heer wrote:
> 
> domi wrote:
> 
> [Question about CRLs]
> 
>> <VirtualHost _default_:443>
>> ServerName 192.168.0.2:443
>> Errorlog /opt/exampleca/ssl_error_log
>> Transferlog /opt/exampleca/ssl_access_log
>>
>> SSLEngine on
>>
>> SSLCipherSuite HIGH:MEDIUM
>>
>> SSLProtocol all
>>
>> SSLCertificateFile /some/path/01.pem
>> SSLCertificateKeyFile /some/path/testkey.pem
>> SSLCertificateChainFile /some/path/cacert.pem
>>
>> </VirtualHost>
> 
> You are missing a SSLCARevocationFile directive. Apache should check the
> CRL, not the browser.
> 
> Joost
> 
> 

Hello Joost,
thank you for your answer. I have a question concerning it. The definition
on http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslcarevocationfile
says the following:
<This directive sets the all-in-one file where you can assemble the
Certificate Revocation Lists (CRL) of Certification <Authorities (CA) whose
clients you deal with. These are used for Client Authentication. ...
As I understand this definition it is just for client authentication which I
don't want to deal with. (Not yet.)
Or do I misunderstand the definition?

best regards domi
-- 
View this message in context: http://www.nabble.com/Problem-with-revoked-certificates.-tf3169656.html#a8795601
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org