On 22.04.2015 10:36, Jan Kaluža wrote: > On 04/22/2015 09:50 AM, Kaspar Brand wrote: >> Fiddling with OpenSSL internals >> looks rather scary to me, at least at first sight - perhaps there's an >> API for clearing a CRL store in OpenSSL? > > Unfortunately there's no such API in OpenSSL. There's "caching" flag in > X509_STORE struct, but it's never used for anything actually. > > Maybe it would be better idea to implement that in OpenSSL
+1 for this, indeed. It would be good to not repeat history - i.e., add code to mod_ssl which actually belongs into OpenSSL (specifically in this case, where we would operate on low-level OpenSSL structures, which looks like a fairly brittle approach). > I was hoping to have this feature in httpd at first. Understandable from an httpd package maintainer's point of view, I agree. Could a temporary patch to your vendor OpenSSL package be a short-term approach, with the long-term goal of getting it added as an offical API into OpenSSL 1.0.something? Kaspar