https://issues.apache.org/bugzilla/show_bug.cgi?id=53156
--- Comment #3 from Kaspar Brand <[email protected]> --- There's room for improvement with regards to revocation checking settings in mod_ssl, that's true. Re-introducing an additional directive which restores the behavior from 2.2 seems like the wrong approach, however. Making revocation checking optional (like the SSLCARevocationAllowMissing boolean would do) is pretty nonsensical, IMO - either you insist on clients having an unrevoked cert or you don't. Configuring revocation setting options basically amounts to enforcing a security policy - that's why I added a separate CARevocationCheck directive in r1165056 (which no longer relies on the implicit effects of CARevocationFile/CARevocationPath as in 2.2). Instead of introducing yet another directive, we should consider extending the syntax/options of SSLCARevocationCheck. One thing I was thinking about when working on r1165056 was to make revocation checking succeed if the "unrevoked" status can be determined from either the CRL or an OCSP response. Currently, if CRL and OCSP checking is enabled, *both* have to succeed. Finally, let me point out that there's an inherent issue with the proposed patch: if mod_ssl unconditionally ignores X509_V_ERR_UNABLE_TO_GET_CRL errors when "AllowMissing" is enabled, then it's no longer possible to reliably enforce revocation checking for those CAs which do have CRLs (mod_ssl wouldn't complain when the CRL can't be found, it would just silently proceed). -- You are receiving this mail because: You are the assignee for the bug.
