https://issues.apache.org/bugzilla/show_bug.cgi?id=45708
Kaspar Brand <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P1 |P2 Version|2.2.9 |2.2-HEAD Severity|critical |normal --- Comment #14 from Kaspar Brand <[email protected]> 2011-10-11 05:12:31 UTC --- (In reply to comment #13) > In the meantime, mod_ssl CRL verification needs to be radically changed, it > doesn't check critical extensions, it doesn't follow the normative algorithm, > it can't pass the NIST's PKITS. What should be done is to use internal OpenSSL > CRL validation mechanism, which is correct. That's what has been done in r1165056 recently, so I'm tempted to add the FixedInTrunk keyword to this bug. It will first appear in 2.3.15-beta (to be released later this month, hopefully); tests with a current checkout of trunk are very welcome, of course. For best results, mod_ssl should be compiled against OpenSSL 1.0.0e or later, since a considerable number of CRL processing enhancements are only available in 1.0.0. (In reply to comment #0) > Browsing Apache archives, I found that somebody posted a patch covering this > need (http://marc.info/?l=apache-httpd-dev&m=120350484626015), but the code > haven't been merged. I tested it and it works perfectly well. For the records: in Apache's own list archive, it's http://mail-archives.apache.org/mod_mbox/httpd-dev/200802.mbox/%[email protected]%3E -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
