bugzilla at apache
Jun 1, 2012, 6:38 PM
Post #1 of 1
(71 views)
Permalink
|
|
[Bug 14104] not documented: must restart server to load new CRL
|
|
https://issues.apache.org/bugzilla/show_bug.cgi?id=14104
--- Comment #12 from Matt Whitlock <apache [at] mattwhitlock> ---
This just bit me today. I'm using client-certificate authentication on a web
server that I admin for my company, and yesterday I had to revoke one of the
certificates due to a termination of an employee, and today I decided to verify
that the revocation actually worked by temporarily revoking my own certificate,
and surprise(!), I was still able to authenticate to the site. I had to reload
Apache before it would reject my authentication. This is not the behavior I
expected. It's not as though the contents of the CRLs is conceptually being
"included" into the configuration like a modular config file would be; no, the
CRL is a piece of volatile data that the configuration *references*, and the
server needs to notice when the file changes. At the very least, the Apache
mod_ssl documentation needs to note that any changes to the CRL files at
SSLCARevocationPath will require a reload of the server configuration in order
to take effect. This could have been disastrous if I hadn't thought to double
check that Apache was actually rejecting the revoked certs.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd
|
