[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-bugs
Subject:    DO NOT REPLY [Bug 45708] New: CRL verification fails if CA have
From:       bugzilla () apache ! org
Date:       2008-08-28 22:11:04
Message-ID: bug-45708-7868 () https ! issues ! apache ! org/bugzilla/
[Download RAW message or body]

https://issues.apache.org/bugzilla/show_bug.cgi?id=45708

           Summary: CRL verification fails if CA have distinct AKID for CRL
                    and client certificates
           Product: Apache httpd-2
           Version: 2.2.9
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: apache-bugs@nicob.net


I'm actually trying to setup a SSL reverse-proxy based on Apache 2.x / mod_ssl
and it seems there's a bug in the verification of the CRL.

If a CA changes its keys before expiration, the CRL is now signed by the new
key and include certificates issued by both the new and old keys. However,
mod_ssl will refuse to work if the AKID (authority key identifier) of the
proposed client certificate doesn't match the issuer of the CRL.

Browsing Apache archives, I found that somebody posted a patch covering this
need (http://marc.info/?l=apache-httpd-dev&m=120350484626015), but the code
haven't been merged. I tested it and it works perfectly well.

Does this patch seems OK to you ? If yes, is it possible to include it ?


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]