CAcert System Admins discussion list

[Michael Tänzer <michael.taenzer AT cacert.org>]

Hi,

Because we now offer the CRLs via rsync (thanks to Wytze) I have
uploaded yet another version of the script which reduces the traffic for
each update to a few bytes.

PLEASE NOTE: This version needs the rsync utility to be installed (but
curl is not needed anymore)

https://wiki.cacert.org/ApacheServerClientCertificateAuthentication?action=AttachFile&do=get&target=update-crls.sh


On 18.10.2013 04:43, Michael Tänzer wrote:
> Hi,
> 
> I have updated the script mentioned in the wiki page to only download
> the CRL if there's a newer version available to save traffic. Please
> update the scripts on your servers.
> 
> https://wiki.cacert.org/ApacheServerClientCertificateAuthentication?action=AttachFile&do=get&target=update-crls.sh
> 
> On 21.05.2012 17:12, Michael Tänzer wrote:
>> Michael Ionescu recently made me aware of a serious issue with our
>> client cert enabled services. On almost all services we do not have
>> revocation checking enabled which is kind of like a password users are
>> not allowed to change even if they know it got into the wrong hands.
>>
>> I have extended the documentation on our Wiki to cover how to enable
>> revocation checking with Apache versions < 2.3:
>> https://wiki.cacert.org/ApacheServerClientCertificateAuthentication#Revoked_Certificate_Checking
>>
>> Please adjust the configuration of your servers accordingly. If there is
>> some problem because your host can't connect to https://crl.cacert.org/
>> there's probably a restriction in the firewall. In that case contact
>> Mario, I'm sure he can help you out there.

-- 
Have fun,
Michael Tänzer

Attachment: signature.asc
Description: OpenPGP digital signature