https://issues.apache.org/bugzilla/show_bug.cgi?id=14104
--- Comment #12 from Matt Whitlock <[email protected]> --- This just bit me today. I'm using client-certificate authentication on a web server that I admin for my company, and yesterday I had to revoke one of the certificates due to a termination of an employee, and today I decided to verify that the revocation actually worked by temporarily revoking my own certificate, and surprise(!), I was still able to authenticate to the site. I had to reload Apache before it would reject my authentication. This is not the behavior I expected. It's not as though the contents of the CRLs is conceptually being "included" into the configuration like a modular config file would be; no, the CRL is a piece of volatile data that the configuration *references*, and the server needs to notice when the file changes. At the very least, the Apache mod_ssl documentation needs to note that any changes to the CRL files at SSLCARevocationPath will require a reload of the server configuration in order to take effect. This could have been disastrous if I hadn't thought to double check that Apache was actually rejecting the revoked certs. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
