[CentOS] Certificates Revocation Lists and Apache...

Wed Nov 4 15:40:41 UTC 2009
nate <centos at linuxpowered.net>

John Doe wrote:

>   [warn] Invalid signature on CRL
>   [error] Certificate Verification: Error (8): CRL signature failure

Any relation to this?
https://issues.apache.org/bugzilla/show_bug.cgi?id=45708

I've worked with a lot of ssl stuff in apache but have never
touched CRL before.

Interestingly enough I found last year that some of verisign's
CRLs weren't built to scale, one of our customers put some content
on their site that pointed back to us, which then triggered a call
to the CRL for those people using IE and Symantec anti virus(which
turned on the CRL option in IE), the site was a very high traffic
site and the customers routinely got errors from the CRL site
because it was overloaded with requests.

So few use CRL, I really don't see the benefit, but I suppose in
really controlled environments it could be useful(just not to me).

nate