Updated Certificate Revocation List's Not Read Immediately by HTTP Server
Last updated on APRIL 13, 2016
Applies to:Oracle HTTP Server - Version 10.1.2.0.2 to 10.1.3.5.0 [Release AS10gR2 to AS10gR3]
Information in this document applies to any platform.
This problem can occur on any platform.
"Checked for relevance - 12-MAY-2009"
- Configured HTTP Server for SSL and CRL checking using SSLCARevocationPath
- Configured as per <Note 418613.1> How to Configure CRL Checking in Oracle Application Server HTTP Server
- A new CRL is downloaded every hour using a cron job
- The CRL is converted to PEM, hashed via orapki and then renamed to .r0
- HTTP Server is not restarted
- After the first CRL has expired, suddenly HTTPS connections fail, and continue to do so until suddenly it starts working again some 20 minutes or so later. No restart occurred and the new CRL is valid prior to the other one expiring.
- Errors in the ssl_engine_log suggests that it thinks the CRL has expired:
[warn] Found CRL is expired - revoking all certificates until you get updated CRL
[error] SSL call to NZ function nzos_Handshake failed with error 29024 (server host.oracle.com:443, client X.X.X.X)
- This worked in 9.0.4
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms