[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-httpd-bugs
Subject: DO NOT REPLY [Bug 45708] New: CRL verification fails if CA have
From: bugzilla () apache ! org
Date: 2008-08-28 22:11:04
Message-ID: bug-45708-7868 () https ! issues ! apache ! org/bugzilla/
[Download RAW message or body]
https://issues.apache.org/bugzilla/show_bug.cgi?id=45708
Summary: CRL verification fails if CA have distinct AKID for CRL
and client certificates
Product: Apache httpd-2
Version: 2.2.9
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: apache-bugs@nicob.net
I'm actually trying to setup a SSL reverse-proxy based on Apache 2.x / mod_ssl
and it seems there's a bug in the verification of the CRL.
If a CA changes its keys before expiration, the CRL is now signed by the new
key and include certificates issued by both the new and old keys. However,
mod_ssl will refuse to work if the AKID (authority key identifier) of the
proposed client certificate doesn't match the issuer of the CRL.
Browsing Apache archives, I found that somebody posted a patch covering this
need (http://marc.info/?l=apache-httpd-dev&m=120350484626015), but the code
haven't been merged. I tested it and it works perfectly well.
Does this patch seems OK to you ? If yes, is it possible to include it ?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic