Hello, I'm actually trying to setup a SSL reverse-proxy based on Apache 2.x and mod_ssl and it seems there's a bug in the verification of the CRL.
If a CA changes its keys before expiration, the CRL is now signed by the new key and include certificates issued by both the new and old keys. However, mod_ssl will refuse to work if the AKID of the revoked certificate doesn't match the issuer of the CRL. Browsing Apache archives, I found that somebody posted a patch covering this need (http://marc.info/?l=apache-httpd-dev&m=120350484626015), but the code haven't been merged. I tested it and it works perfectly well. Does this patch seems OK to you ? If yes, is it possible to include it ? Regards, Nicob