I played with this for a while, our (commercial) CA writes a new CRL every 24
hours - and they only last for 24hours, 5minutes.
We had a cron job that was synchronised to pull the crl from an LDAP, massage
it, place it into .../ssl.crl/ca-bundle-client.crl (overwriting the old one).
This seemed to work fine for a couple of days until the time synchronisation
failed. At this time the system failed when the CRL expired, the server
rejected all certs (as expected). To get it going again meant getting the CRL,
and bouncing the server (apachectl -restart seemed to fail on my platform, as it
required the key passphrase...) - not good for us.
Someone may comment on when the file is referred to (or use the source Luke),
but my observation seemed to be that if there was one there on startup, then it
would continue to be checked over time.
In the end we are dumping CRL checks, and doing LDAP lookup for valid certs as
required. Seems to make more sense - but not an out-of-the-box solution (for me
anyway)
I'm going from memory here sorry - but I do remember getting some heartache over
this one!
Thierry wrote:
Hello,
Iam using apache with mod-ssl.
And i want to use a CRL check.
I see that i must use the "SSLCARevocationFile" command.
Example : SSLCARevocationFile
/usr/local/apache/conf/ssl.crl/ca-bundle-client.crl
My CRL file is updated every 45 minutes and my question is how
apache/mod-ssl manage the CRL ?
Did the crl file loaded one time at the startup ? or at every client
request ?
It's very important ...
Thank you in advance !
Thierry
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
