You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2006/01/14 01:59:48 UTC

DO NOT REPLY [Bug 14104] - not documented: must restart server to load new CRL

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=14104>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=14104


tlhackque@yahoo.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|WONTFIX                     |
            Version|2.0.43                      |2.0.54




------- Additional Comments From tlhackque@yahoo.com  2006-01-14 01:59 -------
I, too have been tripped up by this.  Please reconsider.

It seems to me that the current behavior is undesirable, and that the problems 
joe raises are all soluble.  The CRL is unlike other configuration changes; it 
has a expiration date and is expected to require periodic refresh.

I update my crl daily with a lifetime of several days - more on general 
principles than because it's highly volatile.  However, if something bad 
happens, I'd like a reasonable latency till the crl is refreshed.

I agree that polling "just in case" could a lot of extra synchronization, and 
is probably overkill.

But it does not seem friendly or robust to have apache stop service when it 
knows what's wrong & the data it needs is sitting on the disk where the config 
file says it is.

Apache seems to have sufficient synchronization to "revoke all certificates 
until you get updated CRL".  It also has sufficient smarts to do a graceful 
restart.

So, why not do this:

When a thread finds that the CRL is out of date, it synchronizes on a CRL 
update lock.  Under that lock, it looks to see if there's a new CRL.  If there 
is, it schedules a graceful restart, placing the request that detected the 
problem back on the service queue.  The request will be picked up by the new 
generation of the configuration DB after the restart.

This way, the update only happens when there is a problem; existing mechanisms 
are used.  The only delay is to the requests at time of crl expiration.  And by 
adjusting the expiration time, an administrator can minimize the impact.

The work-around of apachectl -k graceful in the crl rebuild script should work 
on a single system, single server.  But in a more interesting environment (say, 
multiple systems with the crl on a networked disk), it's a lot more work.

But at an absolute minimum, update the documentation for the 
SSLCARevocationFile directive to indicate that a restart is required when the 
file changes.  As an experienced system manager, but new to apache, it was by 
no means obvious to me.



-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org