On Tue, Jun 15, 2010, matteo mattau wrote: > > > Maybe I wrong....I've looked into the mod_ssl source code, and it seems to > use openssl > > function to verify revoked certificate, and use openssl lookup function to > > get the CRL of the certificate issuer. >
The mod_ssl code uses OpenSSL to verify the certificate but has its own CRL processing logic: i.e. it looks up CRLs and processes them using its own code. So you'd need to modify mod_ssl. Another issue with mod_ssl is that CRLs are only downloaded when the server starts up: you need to restart it to include new CRLs. > > > Do you have a method to suggest me to check multiple CRLs or any > > sample that can help me? > No sorry I don't and I don't think this is a trivial change either. I also can't see any way to handle this securely that isn't vulnerable to a substition attack. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org