You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Matthieu Estrade <me...@apache.org> on 2004/12/15 14:45:24 UTC

modssl - ocsp - crl

I'm close to finish the ocsp feature on mod_ssl, but when i look the 
entire client auth system, there is some little point not really clean.
For example, when somebody today setup a SSLVerifyClient require and put 
CA and CRL, with SSLCARevocationPath, if no CRL is correct inside the 
path, mod_ssl will not find the good one and will bypass CRL check. What 
i mean is on a misconfigured system, admin can't know if crl check is 
active or not.
Sometimes, the SSLCARevocationPath directive is used with a little 
daemon updating CRL.

Maybe it's a normal behaviour, but i think it could be more clean to 
choose the way to say the user is authenticated, via a directive:

SSLVerifyClient require
SSLCACertificatePath /usr/local/apache/conf/ssl.crt/
SSLCARevocationPath /usr/local/apache/conf/ssl.crl/
SSLVerifyClientMethod +CRL (or +OCSP) or -CRL.

In this case, the default could be CA + CRL and block if no valid crl is 
found
-CRL could disable the crl check etc...

Regards,

Matthieu