https://issues.apache.org/bugzilla/show_bug.cgi?id=45708
Summary: CRL verification fails if CA have distinct AKID for CRL
and client certificates
Product: Apache httpd-2
Version: 2.2.9
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
AssignedTo: [email protected]
ReportedBy: [EMAIL PROTECTED]
I'm actually trying to setup a SSL reverse-proxy based on Apache 2.x / mod_ssl
and it seems there's a bug in the verification of the CRL.
If a CA changes its keys before expiration, the CRL is now signed by the new
key and include certificates issued by both the new and old keys. However,
mod_ssl will refuse to work if the AKID (authority key identifier) of the
proposed client certificate doesn't match the issuer of the CRL.
Browsing Apache archives, I found that somebody posted a patch covering this
need (http://marc.info/?l=apache-httpd-dev&m=120350484626015), but the code
haven't been merged. I tested it and it works perfectly well.
Does this patch seems OK to you ? If yes, is it possible to include it ?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
