[Solved] certificate revocation list configuration
Added by BTschunko about 1 month ago
Hello,
I have a question regarding the use of certificate revocation lists with the parameter ssl.verifyclient.ca-crl-file. It appears that a CRL revocation list is required for each CA and intermediate CA when using this parameter.
I was wondering if there is a way to only check the CRL if present and allow some CAs without a CRL in the ca-crl-file as well. Is there any method to achieve this?
Replies (2)
RE: certificate revocation list configuration - Added by gstrauss about 1 month ago
See https://git.lighttpd.net/lighttpd/lighttpd1.4/src/branch/master/src/mod_openssl.c#L896 and review mod_openssl_load_cacrls(), specifically the line X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
man X509_VERIFY_PARAM_set_flags
Change the code at your own peril and then test thoroughly and carefully.
RE: [Solved] certificate revocation list configuration - Added by BTschunko 29 days ago
Thanks for the hint. I wnt through the openssl documentation and will test the options.