On 22.04.2015 10:36, Jan Kaluža wrote:
> On 04/22/2015 09:50 AM, Kaspar Brand wrote:
>> Fiddling with OpenSSL internals
>> looks rather scary to me, at least at first sight - perhaps there's an
>> API for clearing a CRL store in OpenSSL?
> 
> Unfortunately there's no such API in OpenSSL. There's "caching" flag in 
> X509_STORE struct, but it's never used for anything actually.
> 
> Maybe it would be better idea to implement that in OpenSSL

+1 for this, indeed. It would be good to not repeat history - i.e., add
code to mod_ssl which actually belongs into OpenSSL (specifically in
this case, where we would operate on low-level OpenSSL structures, which
looks like a fairly brittle approach).

> I was hoping to have this feature in httpd at first.

Understandable from an httpd package maintainer's point of view, I
agree. Could a temporary patch to your vendor OpenSSL package be a
short-term approach, with the long-term goal of getting it added as an
offical API into OpenSSL 1.0.something?

Kaspar

Reply via email to