Hi httpd users, I only want to allow clients to log in with a valid certificate that has not been revoked. For this I wrote a small bash script to download the CRL of each CA I've configured in the ca-bundle.crt, convert it into PEM format and create the required hash symlinks.
httpd-2.4.52 openssl-1.1.1m <VirtualHost _default_:8443> ... SSLCACertificateFile "/etc/httpd/ca-bundle.crt" SSLEngine on SSLProtocol TLSv1.2 ... SSLCARevocationPath "/var/httpd/crl/" SSLCARevocationCheck chain SSLVerifyClient require SSLVerifyDepth 3 ... </VirtualHost> The setup ran properly, but after a few days of uptime I got errors like this [2022-03-30 17:10:00.807034] [ssl:error] [C:W5J48KAelwE] AH02039: Certificate Verification: Error (12): CRL has expired The CRLs and symlinks in my crl directory were up to date. But the httpd did not read them after they were updated. So the httpd runs into the expiration date of the old CRLs. Searching for this problem I found this old entry in the bugzilla: https://bz.apache.org/bugzilla/show_bug.cgi?id=14104 Does the problem of httpd-2.0.x still resists in httpd-2.4.x or do I have a misconfiguration in my setup? >From my point of view there are two possible workarounds but both are not very nice: A) restart gracefully the httpd after updating the CRL files B) set MaxConnectionsPerChild on a small value. regards, Hendrik -- ---------------------------------------------------------- Hendrik Harms mail: hendrik.ha...@gmail.com
