RE: mod_ssl crl question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi

Thanks, yes I wrote a script to download the crl and convert it into pem format and I do a service httpd reload - seems to work.

Strange that we can't get mod_ssl to grab the crl form the url provided ?  with some sort of code to say cache it for 5 min etc etc.

Alex

-----Original Message-----
From: Toomas Aas [mailto:toomas.aas@xxxxxxxxxxxxx] 
Sent: Tuesday, 22 November 2011 4:58 PM
To: users@xxxxxxxxxxxxxxxx
Subject: Re:  mod_ssl crl question

R, 18 nov   2011 kirjutas Alex Samad - Yieldbroker  
<Alex.Samad@xxxxxxxxxxxxxxx>:

> I have a ssl site and I am wondering how apache / mod_ssl handle crl's 
> it seems like I have to grab the crl and place it into a file for 
> apache / mod_ssl to read from there.
>
> My issue crl is for 1 day
> Last Update: Nov 17 13:21:32 2011 GMT
> Next Update: Nov 18 13:21:32 2011 GMT
>
> So there is a point of time when it is not going to be valid......   
> how do other people handle this and does a sig hup reload the crl or 
> do I need to restart apache ?

I simply wrote a script that periodically downloads the new CRL, puts it in place and restarts Apache. In my case the CRL updates are issued at 'random' times so my script reads the next update time from the CRL and schedules itself to run a few minutes before that. If your CRL is updated at fixed times you could just schedule it with cron.

I'm not doing a graceful restart but rather a full restart when the CRL is updated. That may be because I investigated the issue at the time I set this up and found the graceful restart to be insufficient, or because I just wasn't sure if graceful restart will work. I *think* it's the former.

HTH
--
Toomas Aas


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux