Index: docs/conf/extra/httpd-ssl.conf.in =================================================================== --- docs/conf/extra/httpd-ssl.conf.in (revision 1331393) +++ docs/conf/extra/httpd-ssl.conf.in (working copy) @@ -142,12 +142,15 @@ # of them (file must be PEM encoded). # The CRL checking mode needs to be configured explicitly # through SSLCARevocationCheck (defaults to "none" otherwise). +# Client certificates issued by CAs that do not have a CRL are +# rejected unless SSLCARevocationAllowMissing is set to "on". # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath "@exp_sysconfdir@/ssl.crl" #SSLCARevocationFile "@exp_sysconfdir@/ssl.crl/ca-bundle.crl" #SSLCARevocationCheck chain +#SSLCARevocationAllowMissing on # Client Authentication (Type): # Client certificate verification type and depth. Types are Index: docs/manual/mod/mod_ssl.xml =================================================================== --- docs/manual/mod/mod_ssl.xml (revision 1331393) +++ docs/manual/mod/mod_ssl.xml (working copy) @@ -1087,6 +1087,9 @@ when checking is enabled, CRLs must be present for the validation to succeed - otherwise it will fail with an "unable to get certificate CRL" error. +The pre-2.3.15 behavior can be restored by setting the +SSLCARevocationAllowMissing directive +to "on".

Example @@ -1098,6 +1101,34 @@ +SSLCARevocationAllowMissing +Allow connections when there is no CRL present for a CA + +SSLCARevocationAllowMissing off|on +SSLCARevocationAllowMissing off +server config +virtual host + + +

+By default the CRL checking in mod_ssl will reject connections if a client +certificate is signed by a CA that does not have a CRL available in any of the +locations configured with +SSLCARevocationFile +or SSLCARevocationPath. +Setting this directive to "on" will change this behavior, and make mod_ssl +assume that a missing CRL means that no certificates signed by that CA are +revoked. +

+Example + +SSLCARevocationAllowMissing on + + + + + + SSLVerifyClient Type of Client Certificate verification SSLVerifyClient level Index: modules/ssl/ssl_private.h =================================================================== --- modules/ssl/ssl_private.h (revision 1331393) +++ modules/ssl/ssl_private.h (working copy) @@ -628,6 +628,7 @@ const char *crl_path; const char *crl_file; ssl_crlcheck_t crl_check_mode; + BOOL crl_allow_missing; #ifdef HAVE_OCSP_STAPLING /** OCSP stapling options */ @@ -726,6 +727,7 @@ const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCARevocationCheck(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLCARevocationAllowMissing(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag); const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *); Index: modules/ssl/mod_ssl.c =================================================================== --- modules/ssl/mod_ssl.c (revision 1331393) +++ modules/ssl/mod_ssl.c (working copy) @@ -119,6 +119,9 @@ "('/path/to/file' - PEM encoded)") SSL_CMD_SRV(CARevocationCheck, TAKE1, "SSL CA Certificate Revocation List (CRL) checking mode") + SSL_CMD_SRV(CARevocationAllowMissing, TAKE1, + "SSL: whether to accept certificates without a corresponding CRL" + "('yes', 'no')") SSL_CMD_ALL(VerifyClient, TAKE1, "SSL Client verify type " "('none', 'optional', 'require', 'optional_no_ca')") Index: modules/ssl/ssl_engine_config.c =================================================================== --- modules/ssl/ssl_engine_config.c (revision 1331393) +++ modules/ssl/ssl_engine_config.c (working copy) @@ -124,6 +124,7 @@ mctx->crl_path = NULL; mctx->crl_file = NULL; mctx->crl_check_mode = SSL_CRLCHECK_UNSET; + mctx->crl_allow_missing = FALSE; mctx->auth.ca_cert_path = NULL; mctx->auth.ca_cert_file = NULL; @@ -247,6 +248,7 @@ cfgMerge(crl_path, NULL); cfgMerge(crl_file, NULL); cfgMerge(crl_check_mode, SSL_CRLCHECK_UNSET); + cfgMergeBool(crl_allow_missing); cfgMergeString(auth.ca_cert_path); cfgMergeString(auth.ca_cert_file); @@ -964,6 +966,24 @@ return ssl_cmd_crlcheck_parse(cmd, arg, &sc->server->crl_check_mode); } +const char *ssl_cmd_SSLCARevocationAllowMissing(cmd_parms *cmd, + void *dcfg, + const char *arg) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + + if (!strcasecmp(arg, "On")) { + sc->server->crl_allow_missing = TRUE; + return NULL; + } + else if (!strcasecmp(arg, "Off")) { + sc->server->crl_allow_missing = FALSE; + return NULL; + } + + return "Argument must be On or Off"; +} + static const char *ssl_cmd_verify_parse(cmd_parms *parms, const char *arg, ssl_verify_t *id) Index: modules/ssl/ssl_engine_kernel.c =================================================================== --- modules/ssl/ssl_engine_kernel.c (revision 1331393) +++ modules/ssl/ssl_engine_kernel.c (working copy) @@ -1434,6 +1434,16 @@ */ return TRUE; } + + /* + * Ignore a missing CRL if SSLCARevocationAllowMissing is set to "On". + */ + if (mctx->crl_allow_missing == TRUE && + errnum == X509_V_ERR_UNABLE_TO_GET_CRL) + { + X509_STORE_CTX_set_error(ctx, X509_V_OK); + return TRUE; + } if (ssl_verify_error_is_optional(errnum) && (verify == SSL_CVERIFY_OPTIONAL_NO_CA))