New Release OSS-Module mod_sslcrl Update Certificate Revocation Lists automatically
After the Heartbleed bug in OpenSSL many operators replace the certificates on their web servers and have the old, potentially compromising certificates blocked. This, however, is only helpful if the revocation lists are always up-to-date. With the open source Apache module mod_sslcrl, the update on the web server can be automated. The latest version of the module also checks the server certificates of the contacted web servers.
“Renew your server certificates” can currently be read in many Blog entries on the OpenSSL Heartbleed bug. Indeed, many administrators follow this advice as a precautionary measure1. When renewing an existing certificate, the old one must of course be blocked. For this, the Certificate Authority (CA) revokes the old certificate and adds it to the Certificate Revocation List (CRL) that is published on a regular basis.
However, the revocation of potentially compromising certificates is only helpful if browser and web server always use the current revocation lists. The browser manufacturers take different approaches here. For example, they distribute revocation lists directly with software updates or let the browsers download the CRLs themselves or check the validity of certificates in real time by using an Online Certificate Status Protocol (OCSP).
Anyone who operates a web server must usually ensure himself that his web server receives the latest CRLs regularly in order to verify the certificates of clients (browser) or other servers. In order to facilitate administration, AdNovum has developed mod_sslcrl, an add-on to the Apache web server, still the most popular web server worldwide2. mod_sslcrl may be used as an extension to mod_ssl3 and can be downloaded on our website opensource.adnovum.ch free of charge. Once installed and configured, mod_sslcrl downloads the revocation lists of the defined CAs autonomously and in regular intervals, activates them on the web server and checks certificates against these revocation lists.
Now also for outgoing connections
Occasionally, web servers on their part call other web servers in order to exchange data. The latest version of mod_sslcrl addresses this issue. Also in the case of outgoing connections, e.g. initiated via mod_proxy4 or mod_auth_oid5, mod_sslcrl now checks the certificate of the contacted web server against the CRLs that it has previously downloaded itself. The module ensures a comprehensive application of the CRLs and updates them constantly. The revocation lists don‘t need to be installed manually and activated anymore.