CRL updating with mod_ssl

[Roberto Hoyle]

I'm trying to understand when a CRL list gets read by Apache.  I have 
cases of it being read when a new CRL is placed in the directory and 
the make is run, and cases when it does not get read under identical 
circumstances.

The only reliable way that I have to make sure that the CRL gets 
updated is by restarting the server.

Is this supposed to be the case?  I'm confused that it works sometimes 
and doesn't work on others.

Right now, I'm running 1.3.19 with mod_ssl 2.8.1 (yes, I know that they 
are old, but I am not able to update them for support reasons...).  We 
have the SSLCARevocationPath directive set to the proper location, and 
a script that downloads a new CRL every evening and runs the make.  The 
script does not kick the server.  Our CRLs expire in seven days, but 
get published every evening.

Should I just stop worrying and learn to love restarting Apache?

Thanks,

r.
--
Roberto Hoyle
PKI Lab Programmer
Dartmouth College
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: CRL updating with mod_ssl

[Dave Paris]

Your actual message issue notwithstanding, the versions you're running are
not just old, they've got security flaws and vulnerabilities well documented
at both CERT, apache.org, and openssl.org.

http://www.cert.org/advisories/CA-2002-27.html  (Linux, Apache, OpenSSL,
mod_ssl)
http://www.cert.org/advisories/CA-2002-23.html  (OpenSSL)
http://www.cert.org/advisories/CA-2002-17.html  (Apache)


If you've got support preventing *you* from upgrading, *DEMAND* they be
updated to reduce your security risks, vulnerability, and liability.  If
your support contract won't do that, you don't have support and you should
upgrade to current anyway.

Respectfully,
-dsp

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Roberto Hoyle
Sent: Tuesday, August 19, 2003 1:56 PM
To: [EMAIL PROTECTED]
Subject: CRL updating with mod_ssl


I'm trying to understand when a CRL list gets read by Apache.  I have
cases of it being read when a new CRL is placed in the directory and
the make is run, and cases when it does not get read under identical
circumstances.

The only reliable way that I have to make sure that the CRL gets
updated is by restarting the server.

Is this supposed to be the case?  I'm confused that it works sometimes
and doesn't work on others.

Right now, I'm running 1.3.19 with mod_ssl 2.8.1 (yes, I know that they
are old, but I am not able to update them for support reasons...).  We
have the SSLCARevocationPath directive set to the proper location, and
a script that downloads a new CRL every evening and runs the make.  The
script does not kick the server.  Our CRLs expire in seven days, but
get published every evening.

Should I just stop worrying and learn to love restarting Apache?

Thanks,

r.
--
Roberto Hoyle
PKI Lab Programmer
Dartmouth College

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]