CRL updating with mod_ssl

CRL updating with mod_ssl

am 19.08.2003 19:56:13 von Roberto Hoyle

I'm trying to understand when a CRL list gets read by Apache. I have
cases of it being read when a new CRL is placed in the directory and
the "make" is run, and cases when it does not get read under identical
circumstances.

The only reliable way that I have to make sure that the CRL gets
updated is by restarting the server.

Is this supposed to be the case? I'm confused that it works sometimes
and doesn't work on others.

Right now, I'm running 1.3.19 with mod_ssl 2.8.1 (yes, I know that they
are old, but I am not able to update them for support reasons...). We
have the SSLCARevocationPath directive set to the proper location, and
a script that downloads a new CRL every evening and runs the make. The
script does not kick the server. Our CRLs expire in seven days, but
get published every evening.

Should I just stop worrying and learn to love restarting Apache?

Thanks,

r.
--
Roberto Hoyle
PKI Lab Programmer
Dartmouth College

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: CRL updating with mod_ssl

am 19.08.2003 20:07:30 von Dave Paris

Your actual message issue notwithstanding, the versions you're running are
not just old, they've got security flaws and vulnerabilities well documented
at both CERT, apache.org, and openssl.org.

http://www.cert.org/advisories/CA-2002-27.html (Linux, Apache, OpenSSL,
mod_ssl)
http://www.cert.org/advisories/CA-2002-23.html (OpenSSL)
http://www.cert.org/advisories/CA-2002-17.html (Apache)


If you've got support preventing *you* from upgrading, *DEMAND* they be
updated to reduce your security risks, vulnerability, and liability. If
your support contract won't do that, you don't have support and you should
upgrade to current anyway.

Respectfully,
-dsp

-----Original Message-----
From: owner-modssl-users@modssl.org
[mailto:owner-modssl-users@modssl.org]On Behalf Of Roberto Hoyle
Sent: Tuesday, August 19, 2003 1:56 PM
To: modssl-users@modssl.org
Subject: CRL updating with mod_ssl


I'm trying to understand when a CRL list gets read by Apache. I have
cases of it being read when a new CRL is placed in the directory and
the "make" is run, and cases when it does not get read under identical
circumstances.

The only reliable way that I have to make sure that the CRL gets
updated is by restarting the server.

Is this supposed to be the case? I'm confused that it works sometimes
and doesn't work on others.

Right now, I'm running 1.3.19 with mod_ssl 2.8.1 (yes, I know that they
are old, but I am not able to update them for support reasons...). We
have the SSLCARevocationPath directive set to the proper location, and
a script that downloads a new CRL every evening and runs the make. The
script does not kick the server. Our CRLs expire in seven days, but
get published every evening.

Should I just stop worrying and learn to love restarting Apache?

Thanks,

r.
--
Roberto Hoyle
PKI Lab Programmer
Dartmouth College

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org



____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org