bugzilla at apache
Apr 29, 2012, 1:26 AM
Post #4 of 4
[Bug 53156] CRL validation fails if CRL is missing
[In reply to]
--- Comment #3 from Kaspar Brand <asfbugz [at] velox> ---
There's room for improvement with regards to revocation checking settings in
mod_ssl, that's true.
Re-introducing an additional directive which restores the behavior from 2.2
seems like the wrong approach, however. Making revocation checking optional
(like the SSLCARevocationAllowMissing boolean would do) is pretty nonsensical,
IMO - either you insist on clients having an unrevoked cert or you don't.
Configuring revocation setting options basically amounts to enforcing a
security policy - that's why I added a separate CARevocationCheck directive in
r1165056 (which no longer relies on the implicit effects of
CARevocationFile/CARevocationPath as in 2.2). Instead of introducing yet
another directive, we should consider extending the syntax/options of
One thing I was thinking about when working on r1165056 was to make revocation
checking succeed if the "unrevoked" status can be determined from either the
CRL or an OCSP response. Currently, if CRL and OCSP checking is enabled, *both*
have to succeed.
Finally, let me point out that there's an inherent issue with the proposed
patch: if mod_ssl unconditionally ignores X509_V_ERR_UNABLE_TO_GET_CRL errors
when "AllowMissing" is enabled, then it's no longer possible to reliably
enforce revocation checking for those CAs which do have CRLs (mod_ssl wouldn't
complain when the CRL can't be found, it would just silently proceed).
You are receiving this mail because:
You are the assignee for the bug.