Feature #2319

Support CRLs for client certificate verification

Added by binbrain almost 6 years ago. Updated 4 months ago.

Patch Pending
Target version:
Start date:
Due date:
% Done:


Missing in 1.5.x:


I've attached a patch to support local CRLs. This feature has been discussed in tickets #1288 and #2278. The change was developed for 1.4.26 and ported to trunk 1.5 without much effort. The patch can be applied to the SVN 1.5 trunk and works as follows.

  • regular client verification configuration discussed in ticket #1288 apply
  • new config param added
  • if is set, make sure the client cert isn't revoked

If all goes well, a client using a revoked cert will receive a "SSL peer rejected your certificate as revoked" message. Otherwise, pass through.

ca-crl.patch View - patch for 1.5 (3.62 KB) binbrain, 2011-06-01 19:55

ca-crl-1.4.39.patch View - patch for 1.4.39 (3.51 KB) flynn, 2016-03-16 14:45

ca-crl-1.4.42.patch View - patch for 1.4.42 (3.59 KB) flynn, 2016-10-31 08:59


#1 Updated by darix almost 6 years ago

  • File deleted (ca-crl.patch)

#2 Updated by binbrain almost 6 years ago

#3 Updated by stbuehler almost 6 years ago

  • Target version set to 1.5.0

#4 Updated by flynn about 1 year ago

I adapted the patch for the current version 1.4.39 and it works for me, if the revocation reason code is set to "Privilege Withdrawn".

I would like to see in the next version 1.4.40, especially because there is no effect on existing installations,
as long as the new configuration variable is not used.

For the wiki the I suggest the following entry: path to the CRL file in PEM format (revocation list)

#5 Updated by gstrauss about 1 year ago

  • Target version changed from 1.5.0 to 1.4.x

#6 Updated by gstrauss 12 months ago

  • Category changed from core to TLS

#7 Updated by dirk4000 7 months ago

I would like to see this feature in next version 1.4.42.

#8 Updated by flynn 6 months ago

I updated the patch for the current version 1.4.42 for easier inclusion.

#9 Updated by gstrauss 6 months ago

Thanks, flynn. This won't make today's release, but will likely make the one following.

#10 Updated by gstrauss 4 months ago

Sorry. This won't make 1.4.44. Maybe the following release.

As noted in #2694

Patches are much more likely to be included if there is someone with whom I can discuss the patches, and who can reliably test lighttpd once those patches have been applied (and before the patches are included in a lighttpd release).

See also #2156 where the request for feedback has unfortunately been met with silence.

Also available in: Atom