Topic: Apache allowing revoked certificates

[apachenubee]

Hello All, I am fairly new to Linux and completely new to Apache. I have set up Apache as reverse proxy to Tomcat. I have a test CA (openSSL)that I used to generate client certificates and a CRL. I copied CRL to Apache server and pointed to it in .conf file but users with revoked certificates are still able to access the site. I included part of the httpd.conf file. I am not sure if I need to add something or if something is misconfigured. Any help is greatly appreciated. Thanks in advance!

RHEL 6.6 - Apache 2.4 - openSSL 1.0.1

httpd.conf

<VirtualHost 192.168.0.11:443>

DocumentRoot /opt/www/
SSLEngine on
SSLOptions +ExportCertData +StdEnvVars
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /www/apache/ssl/ca_cert.pem
SSLOptions +FakeBasicAuth
SSLCertificateFile /www/apache/ssl/test_dev.crt
SSLCertificateKeyFile /www/apache/ssl/test_dev.key
SSLCARevocationFile /www/apache/ssl/crl/crl.pem
SSLProxyEngine on
...
....
.....
</VirtualHost>

[apachenubee]

After reading the mod_ssl manual again, I noticed I was missing the SSLCARevocationCheck directive.

Enables certificate revocation list (CRL) checking. At least one of SSLCARevocationFile or SSLCARevocationPath must be configured. When set to chain (recommended setting), CRL checks are applied to all certificates in the chain, while setting it to leaf limits the checks to the end-entity cert.