You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2005/06/30 01:35:29 UTC
DO NOT REPLY [Bug 35556] New: -
CRL files not re-read by HUP
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=35556>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=35556
Summary: CRL files not re-read by HUP
Product: Apache httpd-2.0
Version: 2.0.52
Platform: Other
OS/Version: other
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: jhaar@trimble.co.nz
I have a CentOS 4.1 server running httpd-2.0.52-12.ent.centos4 using client
certificates for authentication.
We have an internal CA that regenerates CRLs every hour, and they are signed as
being valid for 24 hours. We have an automated process for pushing those CRL
files out to Web servers and other devices that need them.
On this 2.0.52 server, the revocation data is referenced via:
SSLCARevocationFile /etc/httpd/conf/ssl.crl/Our-CA.crl
What is happening is that even though that file is being updated with a new CRL
file every hour, only a full restart (stop, start) of Apache makes it re-read
the CRL! If we send a HUP, it doesn't re-read it.
At that stage you see the "Found CRL is expired - revoking all certificates
until you get updated CRL" error message and noone can access the server via
certs any more.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org