On 21.04.2015 12:20, Jan Kaluža wrote: > we used to have a patch against httpd-2.2.15 to add SSLDisableCRLCaching > option to not cache CRLs. I was trying to adapt this patch for > httpd-trunk and eventually include it upstream but now I'm in dead end. > > The patch removes all the CRLs from the per-server_rec OpenSSL cache > created in ssl_init_ctx_crl (OpenSSL caches the CRLs in > X509_store.objs). This all works properly, but I'm thinking about > thread-safety.
Starting with 2.3.15 (https://svn.apache.org/r1165056), CRL checking was completely delegated to OpenSSL, so it would be a bit surprising to me if that patch can be ported to trunk. Fiddling with OpenSSL internals looks rather scary to me, at least at first sight - perhaps there's an API for clearing a CRL store in OpenSSL? Kaspar