https://issues.apache.org/bugzilla/show_bug.cgi?id=45708
--- Comment #15 from Erwann Abalea <[email protected]> 2011-10-11 10:37:38 UTC --- (In reply to comment #14) > (In reply to comment #13) > > In the meantime, mod_ssl CRL verification needs to be radically changed, it > > doesn't check critical extensions, it doesn't follow the normative > > algorithm, > > it can't pass the NIST's PKITS. What should be done is to use internal > > OpenSSL > > CRL validation mechanism, which is correct. > > That's what has been done in r1165056 recently, so I'm tempted to add the > FixedInTrunk keyword to this bug. Nice information. I'm browsing the SVN tree to look at the changes. I'm glad someone took the time for this. > It will first appear in 2.3.15-beta (to be released later this month, > hopefully); tests with a current checkout of trunk are very welcome, of > course. I'll do some tests, with role separated CAs, and rekeyed CAs. > (In reply to comment #0) > > Browsing Apache archives, I found that somebody posted a patch covering this > > need (http://marc.info/?l=apache-httpd-dev&m=120350484626015), but the code > > haven't been merged. I tested it and it works perfectly well. > > For the records: in Apache's own list archive, it's > http://mail-archives.apache.org/mod_mbox/httpd-dev/200802.mbox/%[email protected]%3E I did receive some useful comments on this patch, but I don't remember who wrote them (cold got me). Basically, it was about using OpenSSL's own CRL validation code instead of mod_ssl legacy one, which does a really bad job. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
