Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Bugs

[Bug 53156] CRL validation fails if CRL is missing

 

 

Apache bugs RSS feed   Index | Next | Previous | View Threaded


bugzilla at apache

Apr 27, 2012, 6:53 AM

Post #1 of 4 (209 views)
Permalink
[Bug 53156] CRL validation fails if CRL is missing

https://issues.apache.org/bugzilla/show_bug.cgi?id=53156

David Sansome <me [at] davidsansome> changed:

What |Removed |Added
----------------------------------------------------------------------------
Keywords| |PatchAvailable

--
You are receiving this mail because:
You are the assignee for the bug.


bugzilla at apache

Apr 27, 2012, 7:50 AM

Post #2 of 4 (203 views)
Permalink
[Bug 53156] CRL validation fails if CRL is missing [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=53156

Ruediger Pluem <rpluem [at] apache> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO

--- Comment #1 from Ruediger Pluem <rpluem [at] apache> ---
Why doesn't SSLCARevocationCheck none solve your problem (which is the default
value btw)?

--
You are receiving this mail because:
You are the assignee for the bug.


bugzilla at apache

Apr 27, 2012, 8:10 AM

Post #3 of 4 (207 views)
Permalink
[Bug 53156] CRL validation fails if CRL is missing [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=53156

David Sansome <me [at] davidsansome> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW

--- Comment #2 from David Sansome <me [at] davidsansome> ---
If I have CRLs for some CAs in the chain but not others then
SSLCARevocationCheck none/chain will only let me either allow everything or
deny everything - I can't tell it to check the ones that I have CRLs for but
ignore the rest.

The long answer is that I'm working on an embedded appliance that uses Apache -
we want to upgrade it from 2.2 to 2.4, but some users might have already added
CRLs to their systems. We could default the SSLCARevocationCheck option to
None, which would lower security for the people who were using CRLs, or we
could default it to Chain, which would completely lock out people who were
using client certificate checking without CRLs. Adding this option back in
makes sure we don't break anybody.

--
You are receiving this mail because:
You are the assignee for the bug.


bugzilla at apache

Apr 29, 2012, 1:26 AM

Post #4 of 4 (194 views)
Permalink
[Bug 53156] CRL validation fails if CRL is missing [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=53156

--- Comment #3 from Kaspar Brand <asfbugz [at] velox> ---
There's room for improvement with regards to revocation checking settings in
mod_ssl, that's true.

Re-introducing an additional directive which restores the behavior from 2.2
seems like the wrong approach, however. Making revocation checking optional
(like the SSLCARevocationAllowMissing boolean would do) is pretty nonsensical,
IMO - either you insist on clients having an unrevoked cert or you don't.

Configuring revocation setting options basically amounts to enforcing a
security policy - that's why I added a separate CARevocationCheck directive in
r1165056 (which no longer relies on the implicit effects of
CARevocationFile/CARevocationPath as in 2.2). Instead of introducing yet
another directive, we should consider extending the syntax/options of
SSLCARevocationCheck.

One thing I was thinking about when working on r1165056 was to make revocation
checking succeed if the "unrevoked" status can be determined from either the
CRL or an OCSP response. Currently, if CRL and OCSP checking is enabled, *both*
have to succeed.

Finally, let me point out that there's an inherent issue with the proposed
patch: if mod_ssl unconditionally ignores X509_V_ERR_UNABLE_TO_GET_CRL errors
when "AllowMissing" is enabled, then it's no longer possible to reliably
enforce revocation checking for those CAs which do have CRLs (mod_ssl wouldn't
complain when the CRL can't be found, it would just silently proceed).

--
You are receiving this mail because:
You are the assignee for the bug.

Apache bugs RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.