Change default value of SSLCARevocationCheck to chain for better security?

mprahl / s2i-angular-httpd24

S2I Builder for Angular Apps Based on the Official CentOS and RHEL httpd-24 Images

MIT License

2 stars 14 forks source link

Change default value of SSLCARevocationCheck to chain for better security? #1

Closed ghost closed 5 years ago

ghost commented 5 years ago

In your configuration file, I notice that you do not change the default value of SSLCARevocationCheck, which is none and disable the certificate revocation list (CRL) checking.

The Http server official document recommends to set SSLCARevocationCheck to chain, for better security. "When set to chain (recommended setting), CRL checks are applied to all certificates in the chain".

I wonder if there is any security concern if SSLCARevocationCheck is set to none. Thanks.

mprahl commented 5 years ago

@HCHCHH I appreciate the security concern, but the SSLCARevocationCheck option is only useful when validating certificates presented to the Apache web server when it is performing client authentication. You can see this in the SSLCARevocationFile or SSLCARevocationPath documentation (related to SSLCARevocationCheck).

Since this is not something that is generally used when hosting an Angular application, I will close this issue.