DO NOT REPLY [Bug 14104] not documented: must restart server to load new CRL
https://issues.apache.org/bugzilla/show_bug.cgi?id=14104 --- Comment #11 from tlhack...@yahoo.com 2011-11-21 17:05:01 UTC --- Still interested in this. I'd like to see the patch in comment 9 work with revocationpath, and the multiple CA bug reported in comment 10 fixed as well. 9 years after this was first reported, X.509 certificates are even more important...and CRLs are part of the support. I still consider the current behavior a bug, not a new feature since httpd is ignoring the CRL's expiration date. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
DO NOT REPLY [Bug 14104] not documented: must restart server to load new CRL
https://issues.apache.org/bugzilla/show_bug.cgi?id=14104 Benjamin Dauvergne bdauver...@entrouvert.com changed: What|Removed |Added CC|bdauver...@entrouvert.com | -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
DO NOT REPLY [Bug 14104] not documented: must restart server to load new CRL
https://issues.apache.org/bugzilla/show_bug.cgi?id=14104 --- Comment #10 from nada apache_bugzi...@valgronda.com 2010-07-28 13:51:55 EDT --- I've tested the from Comment #9 against httpd 2.2.15 I'm having here a setup with multiple sub-CAs (each with its own CRL) - and could successfully login with revoked certs from the sub-CAs after the patch above was applied. So, this patch seems to have following bug: If you have multiple CRLs within one file the patch only loads the first one. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
DO NOT REPLY [Bug 14104] not documented: must restart server to load new CRL
https://issues.apache.org/bugzilla/show_bug.cgi?id=14104 Sam Bryan sam.br...@montal.com changed: What|Removed |Added CC||sam.br...@montal.com -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
DO NOT REPLY [Bug 14104] not documented: must restart server to load new CRL
https://issues.apache.org/bugzilla/show_bug.cgi?id=14104 Benjamin Dauvergne [EMAIL PROTECTED] changed: What|Removed |Added CC||[EMAIL PROTECTED] -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 14104] not documented: must restart server to load new CRL
https://issues.apache.org/bugzilla/show_bug.cgi?id=14104 --- Comment #9 from Grzegorz [EMAIL PROTECTED] 2008-06-11 06:44:48 PST --- Created an attachment (id=22109) -- (https://issues.apache.org/bugzilla/attachment.cgi?id=22109) Automatically reload CRL when the previous one expires and a new one is available With this patch applied, Apache will reload a certificate revocation list (CRL) file, when * previous CRL, stored in memory expired * a new CRL file is available (based on file mtime) It only works with CRLs loaded with SSLCARevocationFile, but if there's interest, I'll extend it to support SSLCARevocationPath as well. It doesn't require any additional options; Apache's behavior will not change if you don't supply fresh CRLs. If you do, it will automagically reload them when needed. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 14104] - not documented: must restart server to load new CRL
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=14104. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=14104 [EMAIL PROTECTED] changed: What|Removed |Added CC||[EMAIL PROTECTED] -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 14104] - not documented: must restart server to load new CRL
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=14104. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=14104 [EMAIL PROTECTED] changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|WONTFIX | Version|2.0.43 |2.0.54 --- Additional Comments From [EMAIL PROTECTED] 2006-01-14 01:59 --- I, too have been tripped up by this. Please reconsider. It seems to me that the current behavior is undesirable, and that the problems joe raises are all soluble. The CRL is unlike other configuration changes; it has a expiration date and is expected to require periodic refresh. I update my crl daily with a lifetime of several days - more on general principles than because it's highly volatile. However, if something bad happens, I'd like a reasonable latency till the crl is refreshed. I agree that polling just in case could a lot of extra synchronization, and is probably overkill. But it does not seem friendly or robust to have apache stop service when it knows what's wrong the data it needs is sitting on the disk where the config file says it is. Apache seems to have sufficient synchronization to revoke all certificates until you get updated CRL. It also has sufficient smarts to do a graceful restart. So, why not do this: When a thread finds that the CRL is out of date, it synchronizes on a CRL update lock. Under that lock, it looks to see if there's a new CRL. If there is, it schedules a graceful restart, placing the request that detected the problem back on the service queue. The request will be picked up by the new generation of the configuration DB after the restart. This way, the update only happens when there is a problem; existing mechanisms are used. The only delay is to the requests at time of crl expiration. And by adjusting the expiration time, an administrator can minimize the impact. The work-around of apachectl -k graceful in the crl rebuild script should work on a single system, single server. But in a more interesting environment (say, multiple systems with the crl on a networked disk), it's a lot more work. But at an absolute minimum, update the documentation for the SSLCARevocationFile directive to indicate that a restart is required when the file changes. As an experienced system manager, but new to apache, it was by no means obvious to me. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 14104] - not documented: must restart server to load new CRL
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=14104. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=14104 [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||WONTFIX --- Additional Comments From [EMAIL PROTECTED] 2005-01-19 14:46 --- Periodically reloading the CRL file from within httpd does not really sound feasible (would you re-load and reparse it in each child? what if the children got out of synch? what if the re-load failed? what about thread-safety issues since the CRL is stored in the server-global config structure). If the CRL changes relatively infrequently over time, you could cron a (graceful) restart to pick up changes. If it is updated so frequently that restarting to pick up changes is not practical, you need OCSP (or something like it). - WONTFIX -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 14104] - not documented: must restart server to load new CRL
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=14104. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=14104 [EMAIL PROTECTED] changed: What|Removed |Added Severity|normal |enhancement Component|Documentation |mod_ssl --- Additional Comments From [EMAIL PROTECTED] 2004-12-26 22:30 --- Reclassified as a feature request against mod_ssl. Thanks for the suggestion. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 14104] - not documented: must restart server to load new CRL
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=14104. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=14104 --- Additional Comments From [EMAIL PROTECTED] 2004-11-22 15:04 --- The server needs to be restarted for just about any change to take effect. It's not clear that this is explicitly documented anywhere, and I'm not really sure where that information should be placed where it would be effective. Any change of configuration requires a server restart. This is not SSL specific. Perhaps an entry in the FAQ is warranted? Thoughts? -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 14104] - not documented: must restart server to load new CRL
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=14104. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=14104 not documented: must restart server to load new CRL [EMAIL PROTECTED] changed: What|Removed |Added Component|mod_ssl |Documentation - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 14104] - not documented: must restart server to load new CRL
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14104. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14104 not documented: must restart server to load new CRL [EMAIL PROTECTED] changed: What|Removed |Added Summary|time zone discrepancy in|not documented: must restart |evaluating CRL timeliness |server to load new CRL - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]