On Tue, Jun 15, 2010, matteo mattau wrote:

> 
> 
> Maybe I wrong....I've looked into the mod_ssl source code, and it seems to
> use openssl
> 
> function to verify revoked certificate, and use openssl lookup function to 
> 
> get the CRL of the certificate issuer.
> 

The mod_ssl code uses OpenSSL to verify the certificate but has its own CRL
processing logic: i.e. it looks up CRLs and processes them using its own code.

So you'd need to modify mod_ssl. Another issue with mod_ssl is that CRLs are
only downloaded when the server starts up: you need to restart it to include
new CRLs.

>  
> 
> Do you have a method to suggest me to check multiple CRLs or any
> 
> sample that can help me?
> 

No sorry I don't and I don't think this is a trivial change either. I also
can't see any way to handle this securely that isn't vulnerable to a substition
attack.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to