You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Matthieu Estrade <me...@apache.org> on 2004/12/15 14:45:24 UTC
modssl - ocsp - crl
I'm close to finish the ocsp feature on mod_ssl, but when i look the
entire client auth system, there is some little point not really clean.
For example, when somebody today setup a SSLVerifyClient require and put
CA and CRL, with SSLCARevocationPath, if no CRL is correct inside the
path, mod_ssl will not find the good one and will bypass CRL check. What
i mean is on a misconfigured system, admin can't know if crl check is
active or not.
Sometimes, the SSLCARevocationPath directive is used with a little
daemon updating CRL.
Maybe it's a normal behaviour, but i think it could be more clean to
choose the way to say the user is authenticated, via a directive:
SSLVerifyClient require
SSLCACertificatePath /usr/local/apache/conf/ssl.crt/
SSLCARevocationPath /usr/local/apache/conf/ssl.crl/
SSLVerifyClientMethod +CRL (or +OCSP) or -CRL.
In this case, the default could be CA + CRL and block if no valid crl is
found
-CRL could disable the crl check etc...
Regards,
Matthieu