cacert-sysadm AT lists.cacert.org
Subject: CAcert System Admins discussion list
List archive
- From: Jan Dittberner <jandd AT cacert.org>
- To: cacert-sysadm AT lists.cacert.org
- Cc: cats-admin AT cacert.org, blog-admin AT cacert.org, community-admin AT cacert.org, lists-admin AT cacert.org, Mario Lipinski <mario AT cacert.org>
- Subject: Re: Revocation checking on hosts that accept client certificates
- Date: Tue, 22 May 2012 12:17:36 +0200
On Mon, May 21, 2012 at 05:12:50PM +0200, Michael Tänzer wrote:
> Hi Guys,
>
> Michael Ionescu recently made me aware of a serious issue with our
> client cert enabled services. On almost all services we do not have
> revocation checking enabled which is kind of like a password users are
> not allowed to change even if they know it got into the wrong hands.
>
> I have extended the documentation on our Wiki to cover how to enable
> revocation checking with Apache versions < 2.3:
> https://wiki.cacert.org/ApacheServerClientCertificateAuthentication#Revoked_Certificate_Checking
>
> Please adjust the configuration of your servers accordingly. If there is
> some problem because your host can't connect to https://crl.cacert.org/
> there's probably a restriction in the firewall. In that case contact
> Mario, I'm sure he can help you out there.
I just added a appropriate firewall rule on infra01 to allow the LXC
containers to reach crl.cacert.org on port 443.
CRL checks are now enabled on svn.cacert.org.
Best regards
Jan
--
Jan Dittberner - CAcert Infrastructure Team
Software Architect, Debian Developer
GPG-key: 4096R/558FB8DD 2009-05-10
B2FF 1D95 CE8F 7A22 DF4C F09B A73E 0055 558F B8DD
http://www.dittberner.info/
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- Revocation checking on hosts that accept client certificates, Michael Tänzer, 05/21/2012
- Re: Revocation checking on hosts that accept client certificates, Jan Dittberner, 05/22/2012
Archive powered by MHonArc 2.6.16.