_ _ _
_ __ ___ ___ __| | ___ ___| | ___ _ __| |
| '_ ` _ \ / _ \ / _` | / __/ __| |/ __| '__| |
| | | | | | (_) | (_| | \__ \__ \ | (__| | | |
|_| |_| |_|\___/ \__,_|___|___/___/_|\___|_| |_|
mod_sslcrl is a module for the Apache Web server. It verifies the validity of client certificates against the Certificate Revocation Lists (CRL) issued by Certification Authorities (CA). It may be used in combination with mod_ssl when x509 client certificate authentication is used. mod_sslcrl replaces the mod_ssl directives SSLCARevocationFile and SSLCARevocationPath and automatically downloads CRL files from CAs via HTTP(S).
mod_sslcrl is an open source software licensed under the Apache License. Downloads are handled by SourceForge.net.
More information about mod_sslcrl:
mod_sslcrl has been designed for the Apache
2.2 Web server. It requires OpenSSL, mod_ssl, and shared memory support. You can compile the module using apxs.
Configuration is done on a global basis, outside VirtualHosts (except for the SSLCRL_Enable directive).
Per Location directive:
- SSLCRL_Cache <path>
Defines the file in which CRL data is stored. Make sure that the Apache child processes have write access to this file. The file must always be specified.
- SSLCRL_Url <url> [<proxyname>:<proxyport>] ['verify']
Defines an HTTP URL to download the CRL files from. You can define multiple
URLs for several CAs. The cache file (defined by SSLCRL_Cache)
is only updated if all(!) CRLs can be fetched.
The optional parameter
"<proxyname>:<proxyport>" is used to access the CA server using
a forward proxy and the "verify" option is used to cancel cache file update
if the signature of a downloaded CRL can't be verified (missing CA certifiate
of invalid signature).
- SSLCRL_UpdateInterval <seconds>
Defines the interval in which mod_sslcrl should download new CRL data. Default is 86400 seconds (once a day).
- SSLCRL_ContentType <content-type> 'DER'|'PEM'
Optional directive to define if the downloaded CRL encoding is either DER or PEM.
- SSLCRL_RequestHeader <name> <value>
Optional directive to add a custom HTTP request header when downloading a CRL, e.g., a Proxy-Authorization header.
- SSLCRL_Enable 'on'|'off'
Enables or disables CRL verification on a per location basis. Default is 'on'.
mod_sslcrl requires mod_ssl. The standard mod_ssl directives (e.g., SSLEngine, SSLVerifyClient, SSLCACertificateFile and others) must be configured.
LoadModule sslcrl_module modules/mod_sslcrl.so
# Local cache file to store the downloaded CRL files to:
# URLs to fetch the CRL files from:
SSLCRL_Url http://crl.foo.bar/verca.crl verify
SSLCRL_Url http://crl.foo.bar/vsidag1.crl verify
# Update interval (e.g., every four hours):
Each error message written by mod_sslcrl is prefixed with an ID:
The 03x error IDs are also written to the error notes of Apache's request record to be processed by error pages that use server-side includes (SSI).
Available error messages:|
mod_sslcrl(000): failed to create shared memory (%s): %s (%d bytes)
mod_sslcrl(001): requires directive SSLCRL_Cache
mod_sslcrl(002): failed to create mutex (%s): %s
mod_sslcrl(003): found SSLCRL_Url but no SSLCRL_Cache directive
mod_sslcrl(020): child %d - failed to load crl store from file '%s'
mod_sslcrl(021): failed to download crl from '%s' (%s)
mod_sslcrl(022): failed to store new crl file '%s'
mod_sslcrl(023): failed to verify signature of crl from '%s': %s
mod_sslcrl(030): failed to read client certificate (%d)
mod_sslcrl(031): invalid signature on CRL (%s)
mod_sslcrl(032): found CRL has invalid nextUpdate field (%s)
mod_sslcrl(033): found CRL has expired - revoking all certificates until you get updated CRL (%s)
mod_sslcrl(034): certificate with serial %ld has been revoked (per CRL from issuer '%s')
mod_sslcrl(040): CRL from '%s' expires bevore next update
mod_sslcrl(061): child %d - load crl store from file '%s'
mod_sslcrl(062): download crl from '%s'
mod_sslcrl(063): child %d - store new crl file '%s'
mod_sslcrl(064): found SSLCACertificateFile directive for file '%s'
© 2010-2012, Pascal Buchbinder