mod_sslcrl is a module for the Apache Web server. It verifies the validity of client certificates against the Certificate Revocation Lists (CRL) issued by Certification Authorities (CA). It may be used as an extension to mod_ssl when x509 client certificate authentication is used. mod_sslcrl replaces the mod_ssl directives SSLCARevocationFile and SSLCARevocationPath and automatically downloads CRL files from CAs via HTTP(S).
mod_sslcrl is an open source software licensed under the Apache License. Downloads are handled by SourceForge.net.
More information about mod_sslcrl:
mod_sslcrl has been tested for the
and 2.4 Web server. It requires OpenSSL, mod_ssl, and shared
You can compile the module using
Configuration is done on a global basis, outside VirtualHosts (except
for the SSLCRL_Enable directive).
Per Location directive:
- SSLCRL_Cache <path>
Defines the file in which CRL data is stored. Make sure that the Apache child
processes have write access to this file. The file must always be specified to
enable this module.
- SSLCRL_Url <url> [<proxyname>:<proxyport>] ['verify']
Defines an HTTP URL to download the CRL files from. You can define multiple
URLs for several CAs. The cache file (defined by SSLCRL_Cache)
is only updated if all(!) CRLs can be fetched.
The optional parameter
"<proxyname>:<proxyport>" is used to access the CA server using
a forward proxy and the "verify" option is used to cancel cache file update
if the signature of a downloaded CRL can't be verified (missing CA certifiate
or invalid signature).
- SSLCRL_UpdateInterval <seconds>
Defines the interval in which mod_sslcrl should download new CRL data.
Default is 86400 seconds (once a day).
- SSLCRL_ContentType <content-type> 'DER'|'PEM'
Optional directive to define if the downloaded CRL encoding is either DER or
- SSLCRL_RequestHeader <name> <value>
Optional directive to add a custom HTTP request header when downloading a
CRL, e.g., a Proxy-Authorization header.
- SSLCRL_ProxyEnable 'on'|'off'
Enables or disables CRL verification for outgoing connections (e.g. by
mod_proxy) replacing the SSLProxyCARevocationFile and
SSLProxyCARevocationPath directive. Default is 'off'.
- SSLCRL_SigAlg <signature algorithm>
Defines a list of accepted certificate signature algorithms and
verifies every certificate in the chain that it has been signed
using one of those algorithm. Algorithm verification is disabled
if this directive is not set. Algorithms are defined by there
string representation, e.g., "sha256WithRSAEncryption".
- SSLCRL_Enable 'on'|'off'
Enables or disables CRL verification on a per location basis. Default is 'on'.
LoadModule sslcrl_module modules/mod_sslcrl.so
# Local cache file to store the downloaded CRL files to:
# URLs to fetch the CRL files from:
SSLCRL_Url http://crl.foo.bar/verca.crl verify
SSLCRL_Url http://crl.foo.bar/vsidag1.crl verify
# Update interval (e.g., every four hours):
mod_sslcrl requires mod_ssl.
The standard mod_ssl directives (e.g., SSLEngine, SSLVerifyClient,
SSLCACertificateFile and others) must be configured.
Each error message written by mod_sslcrl is prefixed with an ID:
The 03x error IDs are also written to the error notes of Apache's request
record to be processed by error pages that use server-side includes
Available error messages:|
mod_sslcrl(000): failed to create shared memory (%s): %s (%d bytes)
mod_sslcrl(001): requires directive SSLCRL_Cache
mod_sslcrl(002): failed to create mutex (%s): %s
mod_sslcrl(003): found SSLCRL_Url but no SSLCRL_Cache directive
mod_sslcrl(004): mod_ssl not loaded
mod_sslcrl(020): child %d - failed to load CRL store from file '%s'
mod_sslcrl(021): failed to download CRL from '%s' (%s)
mod_sslcrl(022): failed to store new CRL file '%s'
mod_sslcrl(023): failed to verify signature of CRL from '%s': %s
mod_sslcrl(030): failed to read client certificate (%d)
mod_sslcrl(031): invalid signature on CRL (%s)
mod_sslcrl(032): found CRL has invalid nextUpdate field (%s)
mod_sslcrl(033): found CRL has expired - revoking all certificates until you get updated CRL (%s)
mod_sslcrl(034): certificate with serial %ld has been revoked (per CRL from issuer '%s')
mod_sslcrl(040): CRL from '%s' expires bevore next update
mod_sslcrl(041): no CRL of issuer [%s] available, can't verify [%s]
mod_sslcrl(061): child %d - load CRL store from file '%s'
mod_sslcrl(062): download CRL from '%s'
mod_sslcrl(063): child %d - store new CRL file '%s'
mod_sslcrl(064): found SSLCACertificateFile directive for file '%s'