Hi,
I guess I discovered a bug in the CRL checking of mod_ssl, or I just
misconfigured my system. The symptoms are the following:
I have a web server using SSL on port 443 without access control. I do
require client certificates of a CA that I trust to access a sub directory.
I told Apache to check for CRLs in a directory. When I start IE, delete its
cache and hit the server I get the main page. When I click on the link for
the restricted area I get prompted to select a certificate. I select the
certificate that I suspended and I can access the page. When I press the
"reload" button in IE a couple of times I don't get the page but an error
code: 80090320. And the ssl_engine_log shows that my certificate has been
revoked. When I press reload again, I get the page, the Apache log shows
that it sent the page again. Restarting Apache does not help.
Now my question is, why does Apache only sometimes discover that my
certificate has been revoked? I think this is a sever security bug!
I use Internet Explorer Version 5.00.2014.0216CO with 128 bit encryption and
update 3725, German. The web server is Apache Version 1.3.14 with Mod-SSL
2.7.1 and OpenSSL 0.9.6 on Solaris 2.6.
Any ideas?
Jens
The information contained in this message is confidential and is intended
for the addressee(s) only. If you have received this message in error or
there are any problems please notify the originator immediately. The
unauthorised use, disclosure, copying or alteration of this message is
strictly forbidden. This message and any attachments have been scanned for
viruses. Baltimore Technologies plc will not be liable for direct, special,
indirect or consequential damages arising from alteration of the contents of
this message by a third party or as a result of any virus being passed on.
-----------------------------------------------------------------------------------------------------------------
The information contained in this message is confidential and is intended
for the addressee(s) only. If you have received this message in error or
there are any problems please notify the originator immediately. The
unauthorized use, disclosure, copying or alteration of this message is
strictly forbidden. Baltimore Technologies plc will not be liable for direct,
special, indirect or consequential damages arising from alteration of the
contents of this message by a third party or as a result of any virus being
passed on.
In addition, certain Marketing collateral may be added from time to time to
promote Baltimore Technologies products, services, Global e-Security or
appearance at trade shows and conferences.
This footnote confirms that this email message has been swept by
Baltimore MIMEsweeper for Content Security threats, including
computer viruses.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
