On 04/22/2015 09:50 AM, Kaspar Brand wrote:
On 21.04.2015 12:20, Jan Kaluža wrote:
we used to have a patch against httpd-2.2.15 to add SSLDisableCRLCaching
option to not cache CRLs. I was trying to adapt this patch for
httpd-trunk and eventually include it upstream but now I'm in dead end.
The patch removes all the CRLs from the per-server_rec OpenSSL cache
created in ssl_init_ctx_crl (OpenSSL caches the CRLs in
X509_store.objs). This all works properly, but I'm thinking about
thread-safety.
Starting with 2.3.15 (https://svn.apache.org/r1165056), CRL checking was
completely delegated to OpenSSL, so it would be a bit surprising to me
if that patch can be ported to trunk.
I'm aware of that, that's why I'm rewriting that patch for trunk :).
Fiddling with OpenSSL internals
looks rather scary to me, at least at first sight - perhaps there's an
API for clearing a CRL store in OpenSSL?
Unfortunately there's no such API in OpenSSL. There's "caching" flag in
X509_STORE struct, but it's never used for anything actually.
Maybe it would be better idea to implement that in OpenSSL, but that's
kind of long-term goal. I was hoping to have this feature in httpd at first.
Kaspar
Regards,
Jan Kaluza
