For example, when somebody today setup a SSLVerifyClient require and put CA and CRL, with SSLCARevocationPath, if no CRL is correct inside the path, mod_ssl will not find the good one and will bypass CRL check. What i mean is on a misconfigured system, admin can't know if crl check is active or not.
Sometimes, the SSLCARevocationPath directive is used with a little daemon updating CRL.
Maybe it's a normal behaviour, but i think it could be more clean to choose the way to say the user is authenticated, via a directive:
SSLVerifyClient require SSLCACertificatePath /usr/local/apache/conf/ssl.crt/ SSLCARevocationPath /usr/local/apache/conf/ssl.crl/ SSLVerifyClientMethod +CRL (or +OCSP) or -CRL.
In this case, the default could be CA + CRL and block if no valid crl is found
-CRL could disable the crl check etc...
Regards,
Matthieu
