_             _           _ 
  _ __ ___   ___   __| |    ___ ___| | ___ _ __| |
 | '_ ` _ \ / _ \ / _` |   / __/ __| |/ __| '__| |
 | | | | | | (_) | (_| |   \__ \__ \ | (__| |  | |
 |_| |_| |_|\___/ \__,_|___|___/___/_|\___|_|  |_|

mod_sslcrl is a module for the Apache Web server. It verifies the validity of client certificates against the Certificate Revocation Lists (CRL) issued by Certification Authorities (CA). It may be used as an extension to mod_ssl when x509 client certificate authentication is used. mod_sslcrl replaces the mod_ssl directives SSLCARevocationFile and SSLCARevocationPath and automatically downloads CRL files from CAs via HTTP(S).

mod_sslcrl is an open source software licensed under the Apache License. Downloads are handled by SourceForge.net.

mod_sslcrl at SourceForge.net

More information about mod_sslcrl:


mod_sslcrl has been tested for the Apache 2.2 and 2.4 Web server. It requires OpenSSL, mod_ssl, and shared memory support.
You can compile the module using apxs.


Configuration is done on a global basis, outside VirtualHosts (except for the SSLCRL_Enable directive).

Global directives:

  • SSLCRL_Cache <path>
    Defines the file in which CRL data is stored. Make sure that the Apache child processes have write access to this file. The file must always be specified to enable this module.
  • SSLCRL_Url <url> [<proxyname>:<proxyport>] ['verify']
    Defines an HTTP URL to download the CRL files from. You can define multiple URLs for several CAs. The cache file (defined by SSLCRL_Cache) is only updated if all(!) CRLs can be fetched.
    The optional parameter "<proxyname>:<proxyport>" is used to access the CA server using a forward proxy and the "verify" option is used to cancel cache file update if the signature of a downloaded CRL can't be verified (missing CA certifiate or invalid signature).
  • SSLCRL_UpdateInterval <seconds>
    Defines the interval in which mod_sslcrl should download new CRL data. Default is 86400 seconds (once a day).
  • SSLCRL_ContentType <content-type> 'DER'|'PEM'
    Optional directive to define if the downloaded CRL encoding is either DER or PEM.
  • SSLCRL_RequestHeader <name> <value>
    Optional directive to add a custom HTTP request header when downloading a CRL, e.g., a Proxy-Authorization header.
  • SSLCRL_ProxyEnable 'on'|'off'
    Enables or disables CRL verification for outgoing connections (e.g. by mod_proxy) replacing the SSLProxyCARevocationFile and SSLProxyCARevocationPath directive. Default is 'off'.
  • SSLCRL_SigAlg <signature algorithm>
    Defines a list of accepted certificate signature algorithms and verifies every certificate in the chain that it has been signed using one of those algorithm. Algorithm verification is disabled if this directive is not set. Algorithms are defined by there string representation, e.g., "sha256WithRSAEncryption".
Per Location directive:
  • SSLCRL_Enable 'on'|'off'
    Enables or disables CRL verification on a per location basis. Default is 'on'.

Sample configuration:
LoadModule               sslcrl_module       modules/mod_sslcrl.so

# Local cache file to store the downloaded CRL files to:
SSLCRL_Cache             /var/logs/apache/sslcrl.cache

# URLs to fetch the CRL files from:
SSLCRL_Url               http://crl.foo.bar/verca.crl   verify
SSLCRL_Url               http://crl.foo.bar/vsidag1.crl verify

# Update interval (e.g., every four hours):
SSLCRL_UpdateInterval    14400

mod_sslcrl requires mod_ssl. The standard mod_ssl directives (e.g., SSLEngine, SSLVerifyClient, SSLCACertificateFile and others) must be configured.

Log Messages

Each error message written by mod_sslcrl is prefixed with an ID: mod_sslcrl(<number>).
Available error messages:
mod_sslcrl(000): failed to create shared memory (%s): %s (%d bytes)
mod_sslcrl(001): requires directive SSLCRL_Cache
mod_sslcrl(002): failed to create mutex (%s): %s
mod_sslcrl(003): found SSLCRL_Url but no SSLCRL_Cache directive
mod_sslcrl(004): mod_ssl not loaded
mod_sslcrl(020): child %d - failed to load CRL store from file '%s'
mod_sslcrl(021): failed to download CRL from '%s' (%s)
mod_sslcrl(022): failed to store new CRL file '%s'
mod_sslcrl(023): failed to verify signature of CRL from '%s': %s
mod_sslcrl(030): failed to read client certificate (%d)
mod_sslcrl(031): invalid signature on CRL (%s)
mod_sslcrl(032): found CRL has invalid nextUpdate field (%s)
mod_sslcrl(033): found CRL has expired - revoking all certificates until you get updated CRL (%s)
mod_sslcrl(034): certificate with serial %ld has been revoked (per CRL from issuer '%s')
mod_sslcrl(040): CRL from '%s' expires bevore next update
mod_sslcrl(041): no CRL of issuer [%s] available, can't verify [%s]
mod_sslcrl(061): child %d - load CRL store from file '%s'
mod_sslcrl(062): download CRL from '%s'
mod_sslcrl(063): child %d - store new CRL file '%s'
mod_sslcrl(064): found SSLCACertificateFile directive for file '%s'
The 03x error IDs are also written to the error notes of Apache's request record to be processed by error pages that use server-side includes (SSI).

© 2010-2016, Pascal Buchbinder