On Tue, Feb 26, 2008 at 04:51:40PM +0000, Dr Stephen Henson wrote: > Well the current CRL strategy has a few problems. It ignores critical > extensions but that's a separate issue...
I was looking at this recently; is it still true that mod_ssl has to do so much of the CRL revocation checks for client certs itself (i.e. all of ssl_callback_SSLVerify_CRL) - it looks like X509_verify_cert() can do revocation checks itself if suitably configured, though maybe this is a recent addition? > Many CRLs have short lifetimes and need to be updated fairly often which > causes problems when the server needs to be restarted each time. ... > Well that's one strategy... another would be to use OCSP exclusively and > have a local OCSP responder driven by CRLs. Right, that is exactly my view. I think that any attempt to make mod_ssl treat CRLs as anything other than static files loaded once at startup will end up trying to reinvent OCSP badly. If a free OCSP responder existed which actually did this maybe those "make CRL handling better" bug reports would go away :) joe