Hi, I am using Apache 1.3.9, mod_ssl 2.4.10 and OpenSSL 0.9.4 on SuSE Linux 6.3. I have access to an internal Trustcenter, which issued all of my user certificates. Step 1: server authentication First I put the CA certificates in /etc/httpd/ssl.crt, calculated the symbolic links again, modified httpd.conf and restarted the webserver. There is no problem so far. Step 2: client authentication I set SSLVerifyClient to require and only user certificates issued by our own Trustcenter are accepted now. Step 3: client authentication with CRL checking I retrieved a crl from our Trustcenter and put it in /etc/httpd/ssl.crl (with SSLCARevocationPath pointing there), calculated the symbolic links again and restarted apache. Executing "openssl crl -text -in corporate.crl" shows me the correct serial numbers of the revoked certificates, but I am still able to connect to my secure server with a revoked certificate. Trying to trace down the mod_ssl code shows me two procedures which perhaps are responsible for performing the CRL checking: In ssl_engine_kernel.c are ssl_callback_SSLVerify and ssl_callback_SSLVerify_CRL, but both procedures are never (!) called on my machine (for instance ssl_hook_Translate is called seven (!!) times during a connection). So is there anyone who has also tried to use client authentication and crl checking with crls coming from foreign CA and not from the OpenSSL/mod_ssl test CAs, who has already managed this or has an idea what is missing? -- Thanks in advance Christoph Kerscher Mannesmann Datenverarbeitung GmbH Abteilung Information-Management Tel.: +49 (2102) 972654 mailto:[EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
