Today with Apache's modssl, if a CRL get expired before a new one get manually fetched (until because the CA don't issue the CRL before the date/time expected, and this is hard to syncronize, mainly with several CA's). So Apache start to refuse all clients certs until a fresh and valid/new CRL are fetched, creating in this way a self DoS.
How is the behaviour of modsslcrl in this case? It refuse the users while not get a new CRL or consider it valid until next fetch? Is this configurable?
Best regards,
Klaubert
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Today with Apache's modssl, if a CRL get expired before a new one get manually fetched (until because the CA don't issue the CRL before the date/time expected, and this is hard to syncronize, mainly with several CA's). So Apache start to refuse all clients certs until a fresh and valid/new CRL are fetched, creating in this way a self DoS.
How is the behaviour of modsslcrl in this case? It refuse the users while not get a new CRL or consider it valid until next fetch? Is this configurable?
Best regards,
Klaubert
mod_sslcrl refuses certificates if the associated CRL has expired