Nelson B Bolyard wrote:
dave davesons wrote, On 2009-04-03 06:22 PDT:
If you import an updated version of a CRL in mod_nss and you make use of
the same nickname:
* Is it necessary to restart the web server for mod_nss to take it into
account?
* Does mod_nss still remember the old CRL?
Dave, while mod_nss uses NSS, it is not part of NSS and is not mozilla
software. The developer of mod_nss does not participate in this forum.
If there is a mod_nss forum (and I'm not sure there is) it would be on
one of Red Hat's servers.
Having said that, I will add that NSS has the ability to store CRLs in
the cert DB, along with certs, and it also has the ability to handle CRLs
that are loaded into memory during the lifetime of a running process, but
are not stored in the DBs. I do not know if mod_NSS makes use of the CRL
storage facility of NSS's cert DB or not. In case it does, then the
following info is also relevant.
The DB presently has a limitation of storing no more than one CRL per
issuer cert. A new CRL stored in the cert DB displaces any previous CRL
stored in that same DB for the same issuer.
In general, NSS does not require any restart to handle new CRLs, but
the software that uses NSS (mod_nss in this case) might require it.
It should also be noted that if Dave is storing CRLs in the database,
and doing so from a different process than the Apache process, he needs
to be using the shared database (sqlite) in both crlutil and
Apache/mod_nss . Otherwise, the new CRL may not be seen by the server
process, or database corruption may occur.
Not having seen the source code for mod_nss I won't speculate further on
its implementation.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
