On Feb 13, 2008, at 10:00 AM, Kaspar Brand wrote:
While I was testing revocation checking for client certs in an SNI
configuration (Dirk, many thanks for make_sni.sh, btw!), I came
across a
flaw in the current implementation when CRL information - i.e.
Thank YOU (me feel silly now - as I spent a fair bit of time trying to
understand why
one test case of mine was not failing -- but as I was blaming openssl
- was looking
in the wrong place)
SSLCARevocationFile/SSLCARevocationPath - is set on a per-vhost basis
(don't know how much sense it makes to have non-global CRLs, but
anyway...).
It may make sense during a roll over ? Not sure ?
The attached patch addresses this issue, and it also improves the
logging behavior for an SNI enabled configuration (previously some of
the messages would always go to the first vhost, or wouldn't appear at
all, depending on the LogLevel of the first vhost).
Tested and applied as rev 627699.
Thanks!
Dw.
