A few days ago we received an email from a commercial Certificate Authority.
They had observed about 10.000 crl downloads last week from a address belonging to a MWG we have installed for one of our customers, and "threatened" to blacklist our IP-address.
The number of crl downloads surprised us, since the MWG is scheduled to download crl's only once a day.
The policies are set up to only allow https access to sites with certificates from CA's the MWG trusts, and not to allow access to sites whos certificates are proven revoked.
To verify if a certificate has been revoked, the MWG must read the CRL from the issuer, that's for sure.
But we excpected it to read it from it's local copy, from the scheduled download.
Or, at least, if it downloads it because of a clients request to a https site, that it cached it and used the cached copy for a period afterwards.
With over 10.000 crl downloads in a week from 1 CA, it doesn't look like it uses a local copy a lot to me ....
Anyone who had similar experiences, or an explanation to this behavior?
Should it be this way?
Message was edited by: Arild on 6/17/10 12:17:54 PM CDTMessage was edited by: Arild on 6/18/10 3:28:11 AM CDT
That sounds strange... haven't seen anything like that in support (on 6.8.6). What's their CRL update interval set to? That is set under Configuration > Update Manager > CRL's, the default is 24 hours.
I would wonder if any disk space issues exist causing repeated downloads... just a though.
Also... you can check the update.log, and this would show you how many updates have taken place.
Message was edited by: Jon Scholten on 6/18/10 7:13:01 PM CDTon 6/18/10 7:24:14 PM CDT
I think I have seen this recently. Check your errors.log for repeating messages about an automatic CRL addition.
If you have these messages, please open a ticket with support. I believe there might be a fix for that.
The CRL update interval is (as I mentioned in my opening post) once a day (24 hours).
I've just started vacation, but have asked my colleges to follow this thread.
Hopefully they will answer if you have any further questions.
Thanks & Regards,