mod_sslcrl is a module for the Apache Web server. It verifies the validity of client certificates against the Certificate Revocation Lists (CRL) issued by Certification Authorities (CA). It may be used as an extension to mod_ssl when x509 client certificate authentication is used. mod_sslcrl replaces the mod_ssl directives SSLCARevocationFile and SSLCARevocationPath and automatically downloads CRL files from CAs via HTTP(S).
mod_sslcrl is an open source software licensed under the Apache License. Downloads are handled by SourceForge.net.
More information about mod_sslcrl:
Build
mod_sslcrl has been tested for the
Apache 2.2
and 2.4 Web server. It requires OpenSSL, mod_ssl, and shared
memory support. You can compile the module using
apxs.
apxs -i -c mod_sslcrl.c -lcrypto
|
Configuration
Configuration is done on a global basis, outside VirtualHosts (except
for the SSLCRL_Enable directive).
Global directives:
- SSLCRL_Cache <path>
Defines the file in which CRL data is stored. Make sure that the Apache child
processes have write access to this file. The file must always be specified to
enable this module.
- SSLCRL_Url <url> [<proxyname>:<proxyport>] ['verify']
Defines an HTTP URL to download the CRL files from. You can define multiple
URLs for several CAs. The cache file (defined by SSLCRL_Cache)
is only updated if all(!) CRLs can be fetched. The optional parameter
"<proxyname>:<proxyport>" is used to access the CA server using
a forward proxy and the "verify" option is used to cancel cache file update
if the signature of a downloaded CRL can't be verified (missing CA certifiate
or invalid signature).
- SSLCRL_UpdateInterval <seconds>
Defines the interval in which mod_sslcrl should download new CRL data.
Default is 86400 seconds (once a day).
- SSLCRL_ContentType <content-type> 'DER'|'PEM'
Optional directive to define if the downloaded CRL encoding is either DER or
PEM.
- SSLCRL_RequestHeader <name> <value>
Optional directive to add a custom HTTP request header when downloading a
CRL, e.g., a Proxy-Authorization header.
- SSLCRL_ProxyEnable 'on'|'off'
Enables or disables CRL verification for outgoing connections (e.g. by
mod_proxy) replacing the SSLProxyCARevocationFile and
SSLProxyCARevocationPath directive. Default is 'off'.
- SSLCRL_SigAlg <signature algorithm>
Defines a list of accepted certificate signature algorithms and
verifies every certificate in the chain that it has been signed
using one of those algorithm. Algorithm verification is disabled
if this directive is not set. Algorithms are defined by there
string representation, e.g., "sha256WithRSAEncryption".
Per Location directive:
- SSLCRL_Enable 'on'|'off'
Enables or disables CRL verification on a per location basis. Default is 'on'.
Sample configuration:
LoadModule sslcrl_module modules/mod_sslcrl.so
# Local cache file to store the downloaded CRL files to:
SSLCRL_Cache /var/logs/apache/sslcrl.cache
# URLs to fetch the CRL files from:
SSLCRL_Url http://crl.foo.bar/verca.crl verify
SSLCRL_Url http://crl.foo.bar/vsidag1.crl verify
# Update interval (e.g., every four hours):
SSLCRL_UpdateInterval 14400
|
mod_sslcrl requires mod_ssl.
The standard mod_ssl directives (e.g., SSLEngine, SSLVerifyClient,
SSLCACertificateFile and others) must be configured.
Log Messages
Each error message written by mod_sslcrl is prefixed with an ID: mod_sslcrl(<number>) .
Available error messages:
mod_sslcrl(000): failed to create shared memory (%s): %s (%d bytes)
mod_sslcrl(001): requires directive SSLCRL_Cache
mod_sslcrl(002): failed to create mutex (%s): %s
mod_sslcrl(003): found SSLCRL_Url but no SSLCRL_Cache directive
mod_sslcrl(004): mod_ssl not loaded
mod_sslcrl(020): child %d - failed to load CRL store from file '%s'
mod_sslcrl(021): failed to download CRL from '%s' (%s)
mod_sslcrl(022): failed to store new CRL file '%s'
mod_sslcrl(023): failed to verify signature of CRL from '%s': %s
mod_sslcrl(030): failed to read client certificate (%d)
mod_sslcrl(031): invalid signature on CRL (%s)
mod_sslcrl(032): found CRL has invalid nextUpdate field (%s)
mod_sslcrl(033): found CRL has expired - temporary revoking all certificates until you get updated CRL (%s)
mod_sslcrl(034): certificate with serial %ld has been revoked (per CRL from issuer '%s')
mod_sslcrl(035): signature algorithm '%s' of certificate [%s] is not allowed
mod_sslcrl(040): CRL from '%s' expires bevore next update
mod_sslcrl(041): no CRL of issuer [%s] available, can't verify [%s]
mod_sslcrl(061): child %d - load CRL store from file '%s'
mod_sslcrl(062): download CRL from '%s'
mod_sslcrl(063): child %d - store new CRL file '%s'
mod_sslcrl(064): found SSLCACertificateFile directive for file '%s'
|
The 03x error IDs are also written to the error notes of Apache's request
record to be processed by error pages that use server-side includes
(SSI).
|