DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=14104>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=14104 ------- Additional Comments From [EMAIL PROTECTED] 2007-12-04 09:20 ------- I agree that reloading of CRLs when necessary is a highly desirable feature. OpenSSL 0.9.9 does have some improved CRL support but adding generic reloading to cover all cases into OpenSSL isn't really practical. OpenSSL 0.9.8 doesn't have reloading support but its handling isn't as broken as mod_ssl manual CRL handling. As a general solution there are several options. One is to run a local OCSP responder which makes use of CRLs to provide revocation information. Then mod_ssl can determine certificate status over OCSP and the responder can deal with CRLs in an appropriate manner. I did write such a responder for a similar situation but never got round to getting the implementation into a publicly usable form. Another option is to have a database of CRL information in mod_ssl. A bit like the session cache but for revocation information. Note that I say "revocation information" as opposed to storing full CRLs because CRLs can be quite large and decoding on each use is a considerable overhead. It is better to just store the set of revoked certificates serial numbers (CRL entries) and have a lookup mechanism which each thread could use. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
