Mailing List Archive

[Bug 53156] CRL validation fails if CRL is missing
https://issues.apache.org/bugzilla/show_bug.cgi?id=53156

David Sansome <me@davidsansome.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Keywords| |PatchAvailable

--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 53156] CRL validation fails if CRL is missing [ In reply to ]
https://issues.apache.org/bugzilla/show_bug.cgi?id=53156

Ruediger Pluem <rpluem@apache.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO

--- Comment #1 from Ruediger Pluem <rpluem@apache.org> ---
Why doesn't SSLCARevocationCheck none solve your problem (which is the default
value btw)?

--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 53156] CRL validation fails if CRL is missing [ In reply to ]
https://issues.apache.org/bugzilla/show_bug.cgi?id=53156

David Sansome <me@davidsansome.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW

--- Comment #2 from David Sansome <me@davidsansome.com> ---
If I have CRLs for some CAs in the chain but not others then
SSLCARevocationCheck none/chain will only let me either allow everything or
deny everything - I can't tell it to check the ones that I have CRLs for but
ignore the rest.

The long answer is that I'm working on an embedded appliance that uses Apache -
we want to upgrade it from 2.2 to 2.4, but some users might have already added
CRLs to their systems. We could default the SSLCARevocationCheck option to
None, which would lower security for the people who were using CRLs, or we
could default it to Chain, which would completely lock out people who were
using client certificate checking without CRLs. Adding this option back in
makes sure we don't break anybody.

--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 53156] CRL validation fails if CRL is missing [ In reply to ]
https://issues.apache.org/bugzilla/show_bug.cgi?id=53156

--- Comment #3 from Kaspar Brand <asfbugz@velox.ch> ---
There's room for improvement with regards to revocation checking settings in
mod_ssl, that's true.

Re-introducing an additional directive which restores the behavior from 2.2
seems like the wrong approach, however. Making revocation checking optional
(like the SSLCARevocationAllowMissing boolean would do) is pretty nonsensical,
IMO - either you insist on clients having an unrevoked cert or you don't.

Configuring revocation setting options basically amounts to enforcing a
security policy - that's why I added a separate CARevocationCheck directive in
r1165056 (which no longer relies on the implicit effects of
CARevocationFile/CARevocationPath as in 2.2). Instead of introducing yet
another directive, we should consider extending the syntax/options of
SSLCARevocationCheck.

One thing I was thinking about when working on r1165056 was to make revocation
checking succeed if the "unrevoked" status can be determined from either the
CRL or an OCSP response. Currently, if CRL and OCSP checking is enabled, *both*
have to succeed.

Finally, let me point out that there's an inherent issue with the proposed
patch: if mod_ssl unconditionally ignores X509_V_ERR_UNABLE_TO_GET_CRL errors
when "AllowMissing" is enabled, then it's no longer possible to reliably
enforce revocation checking for those CAs which do have CRLs (mod_ssl wouldn't
complain when the CRL can't be found, it would just silently proceed).

--
You are receiving this mail because:
You are the assignee for the bug.