> > I am not sure Apache actually has this capability at > all. Local CRLs are used in OpenSSL's > x509_verify_cert() function, and since it doesn't > involve network download, it is handled by OpenSSL.
There is no functionality of CRL in mod_ssl or openssl. OpenSSL allows to extract programmatically the value, i.e. the URI. Maintaining a cache of CRL can be considered as out of scope for openssl... BUT, the new codes for 'store'... > CDP extension may, at the option of the CA, be either > critical or non-critical. However, the Internet > Certificate and CRL profile (RFC 2459) > recommends that this extension be marked non-critical, > meaning implementation can choose to ignore this > extension. it's RFC 3280. The wording is a little bit more difficult, but since it is difficult to detect what 'support' means. > For every client certificate, if the application > downloads CRLs from the CDPs indicated in > the certificate, it may be a lot of overhead in terms > of delay and processing. Some CRLs are very long (can > go up to a few Mbytes of data), making downloading > CRL per SSL connection unbearable. Indeed. And it conflicts with the basic assumption that a relying party can make reasonable decisions with an immediate online access to the CA databases etc (if not, you would'nt need these kinds certs at all.) > Therefore, I don't know whether Apache does this at > all. If you have a different opinion, please share it. What different opinion? That you don't know?? :-) > > I am wanting to get CRL Distribution Points working > > within my client certs. > > > > Using Apache I am able to get certificate revocation > > working using the SSLCARevocationFile directive > > (using a local file). > > > > Using a http://www.webserver.com/crlfile.crl within > > the cert (CRL Distribution Point) it doesn't work. > > I have put the crl on a remote web server. Watching > > the logs on the remote server I do not see the crl > > being accessed. > > > > Any troubleshooting tips? > > > > Does the browser go out and access the crl? or does > > the server? A browser can go to look in the DP to check the CRL of the issuer of the server cert. That's not an issue for OpenSSL. A Apache server with mod_ssl server may want to know the CRLs for the clients certs that it accepts. The server has to be configured with the CA certs of CA for which it accepts client certs. In many cases CRLs for these certs are in fixed locations, thus it may be advisable to download them once per day in a totally independant procedure that does not only downloads the CRL from time to time, it also validates them for good signature and validity before giving the best known to the server. But very often the application behind also has a mechanism of authorisation control, thus, instead of revoking a cert it *may* be easier to reject the access in you priv management infrastructure. But not always. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
