Project

General

Profile

Actions

Bug #3193

closed

CRL file should be reloaded on change

Added by tteras almost 2 years ago. Updated almost 2 years ago.

Status:
Invalid
Priority:
Low
Category:
TLS
Target version:
-
ASK QUESTIONS IN Forums:
No

Description

The SSL implementations should reload the CRL file if it changes. Typically the CRL files will be refreshed often to get latest status of revoked certificates. The CRL files have also a timestamp by which it needs to be updated or it becomes expired. In some cases the cycle where CRL needs to be updated can be short (an hour), so doing a full reload does not sound practical.

Ideally inotify or similar mechanism would be used to monitor the CRL (also OCSP stabling file?) and trigger a reload of the dynamic data on change.

Actions #1

Updated by gstrauss almost 2 years ago

  • Status changed from New to Invalid
  • Priority changed from Normal to Low
  • Target version deleted (1.4.xx)

"I want it" does not necessarily indicate a bug.

CRLs work as designed in lighttpd. You are making a feature request that probably would have been better as a question in the Forums.

so doing a full reload does not sound practical.

citation/data required (explain). Unsubstantiated opinions are worthless.

Contrary to your statement about practicality, lighttpd supports graceful restart with SIGUSR1.

With some contraints on allowed lighttpd.conf configurations, graceful restart is immediate if server.feature-flags "server.graceful-restart-bg" is enabled

Actions

Also available in: Atom