cacert-sysadm AT lists.cacert.org
Subject: CAcert System Admins discussion list
List archive
- From: Michael Tänzer <michael.taenzer AT cacert.org>
- To: cacert-sysadm AT lists.cacert.org, cats-admin AT cacert.org, blog-admin AT cacert.org, community-admin AT cacert.org, lists-admin AT cacert.org, Mario Lipinski <mario AT cacert.org>
- Subject: Re: Revocation checking on hosts that accept client certificates
- Date: Fri, 18 Oct 2013 04:43:37 +0200
- Openpgp: id=9940BEF1
Hi,
I have updated the script mentioned in the wiki page to only download
the CRL if there's a newer version available to save traffic. Please
update the scripts on your servers.
https://wiki.cacert.org/ApacheServerClientCertificateAuthentication?action=AttachFile&do=get&target=update-crls.sh
On 21.05.2012 17:12, Michael Tänzer wrote:
> Michael Ionescu recently made me aware of a serious issue with our
> client cert enabled services. On almost all services we do not have
> revocation checking enabled which is kind of like a password users are
> not allowed to change even if they know it got into the wrong hands.
>
> I have extended the documentation on our Wiki to cover how to enable
> revocation checking with Apache versions < 2.3:
> https://wiki.cacert.org/ApacheServerClientCertificateAuthentication#Revoked_Certificate_Checking
>
> Please adjust the configuration of your servers accordingly. If there is
> some problem because your host can't connect to https://crl.cacert.org/
> there's probably a restriction in the firewall. In that case contact
> Mario, I'm sure he can help you out there.
--
Cheers,
Michael Tänzer
Attachment:
signature.asc
Description: OpenPGP digital signature
- Re: Revocation checking on hosts that accept client certificates, Michael Tänzer, 10/18/2013
- Re: Revocation checking on hosts that accept client certificates, Michael Tänzer, 10/28/2013
Archive powered by MHonArc 2.6.18.