I am not sure if Apache does that. Local CRLs are handled differently since they are fed into OpenSSL x509_verify_cert function. Fetching and downloading CRL from CDPs for every transaction is too costly for most applications.
CDP extension may, at the option of the CA, be either critical or non-critical. However, the Internet Certificate and CRL profile (RFC 2459) recommends that this extension be marked non-critical, meaning implementation can choose to ignore this extension. For every client certificate, if we download CRLs from the CDPs indicated in the certificate, it may be a lot of overhead in terms of delay and processing. Some CRLs are very long (can go up to a few Mbytes of data), making downloading CRL per SSL connection unbearable. If you find contrary evidence, please share it... Lincoln --- Steve Larson <[EMAIL PROTECTED]> wrote: > I am wanting to get CRL Distribution Points working > within my client certs. > > Using Apache I am able to get certificate revocation > working using the SSLCARevocationFile directive > (using a local file). > > Using a http://www.webserver.com/crlfile.crl within > the cert (CRL Distribution Point) it doesn't work. > I have put the crl on a remote web server. Watching > the logs on the remote server I do not see the crl > being accessed. > > Any troubleshooting tips? > > Does the browser go out and access the crl? or does > the server? > > Thanks for any help. > > > --------------------------------- > Do you Yahoo!? > Yahoo! Mail - Easier than ever with enhanced > search. Learn more. __________________________________ Do you Yahoo!? Send holiday email and support a worthy cause. Do good. http://celebrity.mail.yahoo.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
