You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2005/08/31 12:05:31 UTC
DO NOT REPLY [Bug 36438] New: -
Problem with CRL file loading in mod_ssl
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=36438>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=36438
Summary: Problem with CRL file loading in mod_ssl
Product: Apache httpd-2.0
Version: 2.0.50
Platform: Other
OS/Version: Linux
Status: NEW
Severity: major
Priority: P2
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: stephane.omnes@atosorigin.com
CC: stephane.omnes@atosorigin.com
When you use "SSLCARevocationFile" directive to launch a Certificate Revocation
List, if the CRL file is not in PEM format (DER for example), no warning or
error message is written in logs file, so that you don't detect that something
goes wrong... In this case, when a revoked client certificate is submitted to
Apache during SSL negociation, the verification doesn't work well (e.g. nothing
happen !).
I think that it's a major problem because this bug concerns security aspects of
Apache.
I detetected this situation on Apache 2.0.50 with openssl 0.9.7-8
Sincerely,
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org