regards, Hendrik -- ---------------------------------------------------------- Hendrik Harms mail: hendrik.harms@xxxxxxxxx --00000000000007027d05db867f10 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div>Hi httpd users,</div><div><br></div><div></div><div>I= only want to allow clients to log in with a valid certificate that has not= been revoked.<br>For this I wrote a small bash script to download the CRL = of each CA I've configured in the ca-bundle.crt, convert it into PEM fo= rmat and create the required hash symlinks.<br></div><div><br></div><div>ht= tpd-2.4.52<br>openssl-1.1.1m<br><VirtualHost _default_:8443><br>=C2= =A0 ...<br>=C2=A0 SSLCACertificateFile "/etc/httpd/ca-bundle.crt"= <br>=C2=A0 SSLEngine on<br>=C2=A0 SSLProtocol TLSv1.2<br>=C2=A0 ...<br>=C2= =A0 SSLCARevocationPath =C2=A0"/var/httpd/crl/"<br>=C2=A0 SSLCARe= vocationCheck chain<br>=C2=A0 SSLVerifyClient require<br>=C2=A0 SSLVerifyDe= pth =C2=A03<br>=C2=A0 ...<br></VirtualHost><br><br>The setup ran prop= erly, but after a few days of uptime I got errors like this<br>[2022-03-30 = 17:10:00.807034] [ssl:error] [C:W5J48KAelwE] AH02039: Certificate Verificat= ion: Error (12): CRL has expired</div><div><br>The CRLs and symlinks in my = crl directory were up to date. But the httpd did not read them after they w= ere updated. So the httpd runs into the expiration date of the old CRLs.<br= >Searching for this problem I found this old entry in the bugzilla: <a href= =3D"https://bz.apache.org/bugzilla/show_bug.cgi?id=3D14104";>https://bz.apac= he.org/bugzilla/show_bug.cgi?id=3D14104</a></div><div>Does the problem of h= ttpd-2.0.x still resists in httpd-2.4.x or do I have a misconfiguration in = my setup?<br></div><div><br>From my point of view there are two possible wo= rkarounds but both are not very nice:<br>=C2=A0 A) restart gracefully the h= ttpd after updating the CRL files<br>=C2=A0 B) set MaxConnectionsPerChild o= n a small value.</div><div><br></div><div>regards,</div><div>Hendrik<br></d= iv><div><br>-- <br><div dir=3D"ltr" class=3D"gmail_signature" data-smartmai= l=3D"gmail_signature"><div dir=3D"ltr"><div><div dir=3D"ltr"><div>---------= -------------------------------------------------<br>Hendrik Harms<br>mail:= <a href=3D"mailto:hendrik.harms@xxxxxxxxx"; target=3D"_blank">hendrik.harms= @gmail.com</a><br></div></div></div></div></div></div></div> --00000000000007027d05db867f10--
|