In our application we use authentication based on client ssl certificate. I've found out that the checking of client cert revocation is not done automatically, if the Crl Distribution Point is present in client certificate. Is it an intention or only not done yet?
The only way how to do revocation checking is to configure SSLCARevocationPath or SSLCARevocationFile.
The world of certificates is full of mess. Crl Distribution Point is not mandatory. So if it is not present, it is the last chance to do checking thorugh SSLCARevocation* vars. So they have their meaning. I've found a discussion about reloading values of SSLCARevocation*
"CRL refreshing should also be taken into account; killing and restarting a webserver every hour or every day because we downloaded a new CRL is not a viable solution in a production environment, and OCSP
is not always a good answer (we're not talking about a sub-minute revocation status)."
So my question is. Is the CRL refreshing (reload of CRL files) done in the current Apache versions? And in the end, what about OCSP - is it supported?